From 2c38c20e7bce3e4fe41dfdab3db0582cea39de20 Mon Sep 17 00:00:00 2001
From: "henrik.lundin" <henrik.lundin@webrtc.org>
Date: Tue, 16 Feb 2016 10:01:51 -0800
Subject: [PATCH] Fix out-of-buffer write in iLBC

In some cases, the decoder can write outside of an allocated array. See
the new comment in the code for more details.

BUG=chromium:568885, webrtc:5305

Review URL: https://codereview.webrtc.org/1704463002

Cr-Commit-Position: refs/heads/master@{#11641}
---
 .../codecs/ilbc/create_augmented_vec.c        | 26 ++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c
index 6b2307c237..5e1c217e26 100644
--- a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c
+++ b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c
@@ -29,28 +29,36 @@ void WebRtcIlbcfix_CreateAugmentedVec(
     size_t index,  /* (i) Index for the augmented vector to be created */
     int16_t *buffer,  /* (i) Pointer to the end of the codebook memory that
                                            is used for creation of the augmented codebook */
-    int16_t *cbVec  /* (o) The construced codebook vector */
+    int16_t *cbVec  /* (o) The constructed codebook vector */
                                       ) {
   size_t ilow;
   int16_t *ppo, *ppi;
   int16_t cbVecTmp[4];
+  /* Interpolation starts 4 elements before cbVec+index, but must not start
+     outside |cbVec|; clamping interp_len to stay within |cbVec|.
+   */
+  size_t interp_len = WEBRTC_SPL_MIN(index, 4);
 
-  ilow = index-4;
+  ilow = index - interp_len;
 
   /* copy the first noninterpolated part */
   ppo = buffer-index;
   WEBRTC_SPL_MEMCPY_W16(cbVec, ppo, index);
 
   /* interpolation */
-  ppo = buffer - 4;
-  ppi = buffer - index - 4;
+  ppo = buffer - interp_len;
+  ppi = buffer - index - interp_len;
 
-  /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) + ((ppo[k]*alphaTbl[3-k])>>15);
-     for k = 0..3
+  /* perform cbVec[ilow+k] = ((ppi[k]*alphaTbl[k])>>15) +
+                             ((ppo[k]*alphaTbl[interp_len-1-k])>>15);
+     for k = 0..interp_len-1
   */
-  WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha, 4, 15);
-  WebRtcSpl_ReverseOrderMultArrayElements(cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[3], 4, 15);
-  WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, 4, 0);
+  WebRtcSpl_ElementwiseVectorMult(&cbVec[ilow], ppi, WebRtcIlbcfix_kAlpha,
+                                  interp_len, 15);
+  WebRtcSpl_ReverseOrderMultArrayElements(
+      cbVecTmp, ppo, &WebRtcIlbcfix_kAlpha[interp_len - 1], interp_len, 15);
+  WebRtcSpl_AddVectorsAndShift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, interp_len,
+                               0);
 
   /* copy the second noninterpolated part */
   ppo = buffer - index;