From e090e12b5cff6aa7b29f43ee7295c753fcab37d9 Mon Sep 17 00:00:00 2001
From: Martin Vopatek <vopatek@ingate.com>
Date: Wed, 17 Oct 2018 10:53:00 +0200
Subject: [PATCH] G722: Fix buffer overflow

generic_plc_transition_mix would read/write outside b_wptr if
declen was less than 2*16*TRANSITION_DELAY.
---
 src/audiofilters/msg722.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/audiofilters/msg722.c b/src/audiofilters/msg722.c
index 864db352f..b5b865fb8 100644
--- a/src/audiofilters/msg722.c
+++ b/src/audiofilters/msg722.c
@@ -254,7 +254,7 @@ static void dec_process(MSFilter *f) {
 			/* introduce delay (TRANSITION_DELAY ms) */
 			generic_plc_update_continuity_buffer(s->plc_context, om->b_wptr, declen*sizeof(int16_t));
 
-			if (s->plc_context->plc_samples_used!=0) {
+			if (s->plc_context->plc_samples_used!=0 && declen >= 2*16*TRANSITION_DELAY) {
 				/* we were doing PLC, now resuming with normal audio, continuity buffer is twice the transition delay lengths,
 				 * the second half is untouched by the update function and contains transition data generated by PLC */
 				generic_plc_transition_mix(((int16_t *)(om->b_wptr))+16*TRANSITION_DELAY, ((int16_t *)(s->plc_context->continuity_buffer))+16*TRANSITION_DELAY, 16*TRANSITION_DELAY);