From 624fb67bbc785cd35b78b8dc6c053d2b1874f6eb Mon Sep 17 00:00:00 2001
From: Ivo Creusen <ivoc@webrtc.org>
Date: Tue, 23 Nov 2021 17:00:51 +0000
Subject: [PATCH] Revert "Fix out-of-bounds memory access due to large number
 of audio channels."

This reverts commit 4cbfe4192cd5b8289f7896ce14e0bd8c4ae41a97.

Reason for revert: The fix in this CL is ineffective. A better one has been created here: https://webrtc-review.googlesource.com/c/src/+/238666

Original change's description:
> Fix out-of-bounds memory access due to large number of audio channels.
>
> The number of audio channels can be configured in SDP, and can thus be
> set to arbitrary values by an attacker. This CL fixes an out-of-bounds
> memory access that could occur when the number of channels is set to a
> large number.
>
> Bug: chromium:1265806
> Change-Id: Ic88ff6d85b978b8eb99bf03cc52457a4552e8c24
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/237808
> Reviewed-by: Jakob Ivarsson <jakobi@webrtc.org>
> Commit-Queue: Ivo Creusen <ivoc@webrtc.org>
> Cr-Commit-Position: refs/heads/main@{#35354}

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:1265806
Change-Id: If695ed92f831c2a9631efdf47f1568f5a15c1841
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/238803
Reviewed-by: Ivo Creusen <ivoc@webrtc.org>
Reviewed-by: Jakob Ivarsson <jakobi@webrtc.org>
Commit-Queue: Ivo Creusen <ivoc@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35413}
---
 modules/audio_coding/neteq/neteq_impl.cc | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/modules/audio_coding/neteq/neteq_impl.cc b/modules/audio_coding/neteq/neteq_impl.cc
index b415ff5a56..7e3c4efab9 100644
--- a/modules/audio_coding/neteq/neteq_impl.cc
+++ b/modules/audio_coding/neteq/neteq_impl.cc
@@ -798,19 +798,7 @@ int NetEqImpl::GetAudioInternal(AudioFrame* audio_frame,
     RTC_DCHECK(audio_frame->muted());  // Reset() should mute the frame.
     playout_timestamp_ += static_cast<uint32_t>(output_size_samples_);
     audio_frame->sample_rate_hz_ = fs_hz_;
-    // Make sure the total number of samples fits in the AudioFrame.
-    size_t num_output_samples_per_channel = output_size_samples_;
-    size_t num_output_samples = output_size_samples_ * sync_buffer_->Channels();
-    if (num_output_samples > AudioFrame::kMaxDataSizeSamples) {
-      RTC_LOG(LS_WARNING) << "Output array is too short. "
-                          << AudioFrame::kMaxDataSizeSamples << " < "
-                          << output_size_samples_ << " * "
-                          << sync_buffer_->Channels();
-      num_output_samples = AudioFrame::kMaxDataSizeSamples;
-      num_output_samples_per_channel =
-          AudioFrame::kMaxDataSizeSamples / sync_buffer_->Channels();
-    }
-    audio_frame->samples_per_channel_ = num_output_samples_per_channel;
+    audio_frame->samples_per_channel_ = output_size_samples_;
     audio_frame->timestamp_ =
         first_packet_
             ? 0