Make an energy computation not overflow in iLBC PLC
The current implementation carefully shifts down the energy so as not to overflow.
The fuzzer audio_decoder_ilbc_fuzzer found an integer overflow anyway.
The energy is only used for a threshold check.
This fix stops the energy computation when the threshold is reached, before it can overflow.
Bug: chromium:837922
Change-Id: I45e84d2d271a37e6476b08433a2cbd5a8f6e6f26
Reviewed-on: https://webrtc-review.googlesource.com/76122
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Minyue Li <minyue@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23242}diff --git a/modules/audio_coding/codecs/ilbc/do_plc.c b/modules/audio_coding/codecs/ilbc/do_plc.c
index 5d3e896..26ec03f 100644
--- a/modules/audio_coding/codecs/ilbc/do_plc.c
+++ b/modules/audio_coding/codecs/ilbc/do_plc.c
@@ -40,6 +40,7 @@
size_t i;
int32_t cross, ener, cross_comp, ener_comp = 0;
int32_t measure, maxMeasure, energy;
+ int32_t noise_energy_threshold_30dB;
int16_t max, crossSquareMax, crossSquare;
size_t j, lag, randlag;
int16_t tmp1, tmp2;
@@ -231,8 +232,8 @@
}
/* compute concealed residual */
+ noise_energy_threshold_30dB = (int32_t)iLBCdec_inst->blockl * 900;
energy = 0;
-
for (i=0; i<iLBCdec_inst->blockl; i++) {
/* noise component - 52 < randlagFIX < 117 */
@@ -268,15 +269,14 @@
((pitchfact * PLCresidual[i] + (32767 - pitchfact) * randvec[i] +
16384) >> 15)) >> 15);
- /* Shifting down the result one step extra to ensure that no overflow
- will occur */
- energy += (PLCresidual[i] * PLCresidual[i]) >>
- (iLBCdec_inst->prevScale + 1);
+ /* Compute energy until threshold for noise energy is reached */
+ if (energy < noise_energy_threshold_30dB) {
+ energy += PLCresidual[i] * PLCresidual[i];
+ }
}
/* less than 30 dB, use only noise */
- if (energy < (WEBRTC_SPL_SHIFT_W32(((int32_t)iLBCdec_inst->blockl*900),-(iLBCdec_inst->prevScale+1)))) {
- energy = 0;
+ if (energy < noise_energy_threshold_30dB) {
for (i=0; i<iLBCdec_inst->blockl; i++) {
PLCresidual[i] = randvec[i];
}