From 10b76c2e9f1534de69ec703f7cd10c7ac5b2b27f Mon Sep 17 00:00:00 2001
From: Henrik Lundin <henrik.lundin@webrtc.org>
Date: Tue, 15 Feb 2022 15:13:34 +0000
Subject: [Backport] Security bug 1280852

Adding fuzzer for PCM16b decoder and fixing a fuzzer problem

Backport review link:
https://webrtc-review.googlesource.com/c/src/+/251580

Bug: chromium:1280852
Change-Id: I732d44ddcd7b4c25c9c09932254820ab6cc85c46
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../modules/audio_coding/codecs/pcm16b/audio_decoder_pcm16b.cc     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/webrtc/modules/audio_coding/codecs/pcm16b/audio_decoder_pcm16b.cc b/chromium/third_party/webrtc/modules/audio_coding/codecs/pcm16b/audio_decoder_pcm16b.cc
index 1dd2ff289ee..7761efe8b3b 100644
--- a/chromium/third_party/webrtc/modules/audio_coding/codecs/pcm16b/audio_decoder_pcm16b.cc
+++ b/chromium/third_party/webrtc/modules/audio_coding/codecs/pcm16b/audio_decoder_pcm16b.cc
@@ -42,7 +42,12 @@ int AudioDecoderPcm16B::DecodeInternal(const uint8_t* encoded,
                                        int16_t* decoded,
                                        SpeechType* speech_type) {
   RTC_DCHECK_EQ(sample_rate_hz_, sample_rate_hz);
-  size_t ret = WebRtcPcm16b_Decode(encoded, encoded_len, decoded);
+  // Adjust the encoded length down to ensure the same number of samples in each
+  // channel.
+  const size_t encoded_len_adjusted =
+      PacketDuration(encoded, encoded_len) * 2 *
+      Channels();  // 2 bytes per sample per channel
+  size_t ret = WebRtcPcm16b_Decode(encoded, encoded_len_adjusted, decoded);
   *speech_type = ConvertSpeechType(1);
   return static_cast<int>(ret);
 }
-- 
cgit v1.2.1