Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(533)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

Issue 1704463002: Fix out-of-buffer write in iLBC (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@ilbc-fuzz-fix568889
Patch Set: Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (c) 2011 The WebRTC project authors. All Rights Reserved. 2 * Copyright (c) 2011 The WebRTC project authors. All Rights Reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 11 matching lines...) Expand all
22 22
23 /*----------------------------------------------------------------* 23 /*----------------------------------------------------------------*
24 * Recreate a specific codebook vector from the augmented part. 24 * Recreate a specific codebook vector from the augmented part.
25 * 25 *
26 *----------------------------------------------------------------*/ 26 *----------------------------------------------------------------*/
27 27
28 void WebRtcIlbcfix_CreateAugmentedVec( 28 void WebRtcIlbcfix_CreateAugmentedVec(
29 size_t index, /* (i) Index for the augmented vector to be created */ 29 size_t index, /* (i) Index for the augmented vector to be created */
30 int16_t *buffer, /* (i) Pointer to the end of the codebook memory that 30 int16_t *buffer, /* (i) Pointer to the end of the codebook memory that
31 is used for creation of the augmented codebook */ 31 is used for creation of the augmented codebook */
32 int16_t *cbVec /* (o) The construced codebook vector */ 32 int16_t *cbVec /* (o) The constructed codebook vector */
33 ) { 33 ) {
34 size_t ilow; 34 size_t ilow;
35 int16_t *ppo, *ppi; 35 int16_t *ppo, *ppi;
36 int16_t cbVecTmp[4]; 36 int16_t cbVecTmp[4];
37 /* Interpolation starts 4 elements before cbVec+index, but must not start
38 outside |cbVec|; clamping interp_len to stay within |cbVec|.
39 */
40 size_t interp_len = WEBRTC_SPL_MIN(index, 4);
37 41
38 ilow = index-4; 42 ilow = index - interp_len;
39 43
40 /* copy the first noninterpolated part */ 44 /* copy the first noninterpolated part */
41 ppo = buffer-index; 45 ppo = buffer-index;
42 WEBRTC_SPL_MEMCPY_W16(cbVec, ppo, index); 46 WEBRTC_SPL_MEMCPY_W16(cbVec, ppo, index);
43 47
44 /* interpolation */ 48 /* interpolation */
45 ppo = buffer - 4; 49 ppo = buffer - interp_len;
46 ppi = buffer - index - 4; 50 ppi = buffer - index - interp_len;
47 51
48 /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) + ((ppo[k]*alphaTbl[3-k] )>>15); 52 /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) +
49 for k = 0..3 53 ((ppo[k]*alphaTbl[interp_len-1-k])>>15);
54 for k = 0..interp_len-1
50 */ 55 */
51 WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha, 4, 15 ); 56 WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha,
52 WebRtcSpl_ReverseOrderMultArrayElements(cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[3 ], 4, 15); 57 interp_len, 15);
53 WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, 4, 0); 58 WebRtcSpl_ReverseOrderMultArrayElements(
59 cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[interp_len - 1], interp_len, 15);
60 WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, interp_len,
61 0);
54 62
55 /* copy the second noninterpolated part */ 63 /* copy the second noninterpolated part */
56 ppo = buffer - index; 64 ppo = buffer - index;
57 /* |tempbuff2| is declared in WebRtcIlbcfix_GetCbVec and is SUBL+5 elements 65 /* |tempbuff2| is declared in WebRtcIlbcfix_GetCbVec and is SUBL+5 elements
58 long. |buffer| points one element past the end of that vector, i.e., at 66 long. |buffer| points one element past the end of that vector, i.e., at
59 tempbuff2+SUBL+5. Since ppo=buffer-index, we cannot read any more than 67 tempbuff2+SUBL+5. Since ppo=buffer-index, we cannot read any more than
60 |index| elements from |ppo|. 68 |index| elements from |ppo|.
61 69
62 |cbVec| is declared to be SUBL elements long in WebRtcIlbcfix_CbConstruct. 70 |cbVec| is declared to be SUBL elements long in WebRtcIlbcfix_CbConstruct.
63 Therefore, we can only write SUBL-index elements to cbVec+index. 71 Therefore, we can only write SUBL-index elements to cbVec+index.
64 72
65 These two conditions limit the number of elements to copy. 73 These two conditions limit the number of elements to copy.
66 */ 74 */
67 WEBRTC_SPL_MEMCPY_W16(cbVec+index, ppo, WEBRTC_SPL_MIN(SUBL-index, index)); 75 WEBRTC_SPL_MEMCPY_W16(cbVec+index, ppo, WEBRTC_SPL_MIN(SUBL-index, index));
68 } 76 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698