Fix out-of-bounds memory access due to large number of audio channels.
The number of audio channels can be configured in SDP, and can thus be
set to arbitrary values by an attacker. This CL fixes an out-of-bounds
memory access that could occur when the number of channels is set to a
large number.
Bug: chromium:1265806
Change-Id: Ic88ff6d85b978b8eb99bf03cc52457a4552e8c24
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/237808
Reviewed-by: Jakob Ivarsson <jakobi@webrtc.org>
Commit-Queue: Ivo Creusen <ivoc@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35354}
diff --git a/modules/audio_coding/neteq/neteq_impl.cc b/modules/audio_coding/neteq/neteq_impl.cc
index 7e3c4ef..b415ff5 100644
--- a/modules/audio_coding/neteq/neteq_impl.cc
+++ b/modules/audio_coding/neteq/neteq_impl.cc
@@ -798,7 +798,19 @@
RTC_DCHECK(audio_frame->muted()); // Reset() should mute the frame.
playout_timestamp_ += static_cast<uint32_t>(output_size_samples_);
audio_frame->sample_rate_hz_ = fs_hz_;
- audio_frame->samples_per_channel_ = output_size_samples_;
+ // Make sure the total number of samples fits in the AudioFrame.
+ size_t num_output_samples_per_channel = output_size_samples_;
+ size_t num_output_samples = output_size_samples_ * sync_buffer_->Channels();
+ if (num_output_samples > AudioFrame::kMaxDataSizeSamples) {
+ RTC_LOG(LS_WARNING) << "Output array is too short. "
+ << AudioFrame::kMaxDataSizeSamples << " < "
+ << output_size_samples_ << " * "
+ << sync_buffer_->Channels();
+ num_output_samples = AudioFrame::kMaxDataSizeSamples;
+ num_output_samples_per_channel =
+ AudioFrame::kMaxDataSizeSamples / sync_buffer_->Channels();
+ }
+ audio_frame->samples_per_channel_ = num_output_samples_per_channel;
audio_frame->timestamp_ =
first_packet_
? 0
