iSAC float: Check for end of input buffer while decoding

Previously, we relied on the encoded stream to come to an end before the end of the buffer. This is a bad idea, since it is possible to craft a stream that fills the buffer while decoding to less than the expected amount of data; without the new checks introduced here, this causes the decoder to read past the end of the input buffer. BUG=chromium:582471, chromium:587852 Review URL: https://codereview.webrtc.org/1721593004 Cr-Commit-Position: refs/heads/master@{#11734}
2016-02-24 01:34:29 -08:00
parent b01c7816a8
commit b7261fd3ae
1 changed files with 9 additions and 0 deletions
--- a/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c
+++ b/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c
@ -185,11 +185,18 @@ int WebRtcIsac_DecLogisticMulti2(
  int16_t     candQ7;
  int             k;

+  // Position just past the end of the stream. STREAM_SIZE_MAX_60 instead of
+  // STREAM_SIZE_MAX (which is the size of the allocated buffer) because that's
+  // the limit to how much data is filled in.
+  const uint8_t* const stream_end = streamdata->stream + STREAM_SIZE_MAX_60;
+
  stream_ptr = streamdata->stream + streamdata->stream_index;
  W_upper = streamdata->W_upper;
  if (streamdata->stream_index == 0)   /* first time decoder is called for this stream */
  {
    /* read first word from bytestream */
+    if (stream_ptr + 3 >= stream_end)
+      return -1;  // Would read out of bounds. Malformed input?
    streamval = *stream_ptr << 24;
    streamval |= *++stream_ptr << 16;
    streamval |= *++stream_ptr << 8;
@ -277,6 +284,8 @@ int WebRtcIsac_DecLogisticMulti2(
    while ( !(W_upper & 0xFF000000) )    /* W_upper < 2^24 */
    {
      /* read next byte from stream */
+      if (stream_ptr + 1 >= stream_end)
+        return -1;  // Would read out of bounds. Malformed input?
      streamval = (streamval << 8) | *++stream_ptr;
      W_upper <<= 8;
    }