webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c - Issue 1704463002: Fix out-of-buffer write in iLBC

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

Issue 1704463002: Fix out-of-buffer write in iLBC (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@ilbc-fuzz-fix568889

Patch Set: Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

diff --git a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

index 6b2307c23715c996bb2c9490e08d292a3a99907d..5e1c217e26f85476c926696bf1be29a8546ac4b0 100644

--- a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

+++ b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c

@@ -29,28 +29,36 @@ void WebRtcIlbcfix_CreateAugmentedVec(

size_t index, /* (i) Index for the augmented vector to be created */

int16_t *buffer, /* (i) Pointer to the end of the codebook memory that

is used for creation of the augmented codebook */

- int16_t *cbVec /* (o) The construced codebook vector */

+ int16_t *cbVec /* (o) The constructed codebook vector */

) {

size_t ilow;

int16_t *ppo, *ppi;

int16_t cbVecTmp[4];

+ /* Interpolation starts 4 elements before cbVec+index, but must not start

+ outside |cbVec|; clamping interp_len to stay within |cbVec|.

+ */

+ size_t interp_len = WEBRTC_SPL_MIN(index, 4);

- ilow = index-4;

+ ilow = index - interp_len;

/* copy the first noninterpolated part */

ppo = buffer-index;

WEBRTC_SPL_MEMCPY_W16(cbVec, ppo, index);

/* interpolation */

- ppo = buffer - 4;

- ppi = buffer - index - 4;

+ ppo = buffer - interp_len;

+ ppi = buffer - index - interp_len;

- /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) + ((ppo[k]*alphaTbl[3-k])>>15);

- for k = 0..3

+ /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) +

+ ((ppo[k]*alphaTbl[interp_len-1-k])>>15);

+ for k = 0..interp_len-1

- WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha, 4, 15);

- WebRtcSpl_ReverseOrderMultArrayElements(cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[3], 4, 15);

- WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, 4, 0);

+ WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha,

+ interp_len, 15);

+ WebRtcSpl_ReverseOrderMultArrayElements(

+ cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[interp_len - 1], interp_len, 15);

+ WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, interp_len,

+ 0);

/* copy the second noninterpolated part */

ppo = buffer - index;

« no previous file with comments | « no previous file | no next file » | no next file with comments »