[Backport] Security issue 986727 [2/2]

Fix NEON optimizations buffer read overrun

- Patch https://git.xiph.org/?p=opus.git;a=commit;h=cd529ed
- Undo change from
https://chromium-review.googlesource.com/c/chromium/src/+/1746617,
which truncated the buffer too early

(cherry picked from commit afc68cb76979eaa1cfe9666aac2b0822f30c641e)

Bug: 986727
Change-Id: Iefb890ff828d8703a24bd61ec1411c8476b03a29
Reviewed-by: James Zern <jzern@google.com>
Commit-Queue: Felicia Lim <flim@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#693783}
Reviewed-by: Felicia Lim <flim@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#862}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

2 files changed, 9 insertions, 5 deletions

diff --git a/chromium/third_party/opus/README.chromium b/chromium/third_party/opus/README.chromium
index 53f074b65fd..05aa557a18b 100644
--- a/chromium/third_party/opus/README.chromium
+++ b/chromium/third_party/opus/README.chromium
@@ -20,5 +20,4 @@ Local changes:
 * Make sure HB_gain is not NaN in an attempt to fix chromium:826914
 * Saturate add to avoid int overflow to fix chromium:842528. This should be
   reverted when updating to v1.3
-* Fix NEON optimizations overrun buffer due to improper termination condition
-  (https://chromium-review.googlesource.com/c/chromium/src/+/1746617)
+* Apply https://git.xiph.org/?p=opus.git;a=commit;h=cd529ed
diff --git a/chromium/third_party/opus/src/silk/fixed/arm/warped_autocorrelation_FIX_neon_intr.c b/chromium/third_party/opus/src/silk/fixed/arm/warped_autocorrelation_FIX_neon_intr.c
index 79f4c942ac6..6f3be025cc3 100644
--- a/chromium/third_party/opus/src/silk/fixed/arm/warped_autocorrelation_FIX_neon_intr.c
+++ b/chromium/third_party/opus/src/silk/fixed/arm/warped_autocorrelation_FIX_neon_intr.c
@@ -84,7 +84,9 @@ void silk_warped_autocorrelation_FIX_neon(
         silk_assert( ( order & 1 ) == 0 );
         silk_assert( 2 * QS - QC >= 0 );
 
-        ALLOC( input_QST, length + 2 * MAX_SHAPE_LPC_ORDER, opus_int32 );
+        /* The additional +4 is to ensure a later vld1q_s32 call does not overflow.               */
+        /* Strictly, only +3 is needed but +4 simplifies initialization using the 4x32 neon load. */
+        ALLOC( input_QST, length + 2 * MAX_SHAPE_LPC_ORDER + 4, opus_int32 );
 
         input_QS = input_QST;
         /* input_QS has zero paddings in the beginning and end. */
@@ -121,6 +123,8 @@ void silk_warped_autocorrelation_FIX_neon(
         vst1q_s32( input_QS, vdupq_n_s32( 0 ) );
         input_QS += 4;
         vst1q_s32( input_QS, vdupq_n_s32( 0 ) );
+        input_QS += 4;
+        vst1q_s32( input_QS, vdupq_n_s32( 0 ) );
         input_QS = input_QST + MAX_SHAPE_LPC_ORDER - orderT;
 
         /* The following loop runs ( length + order ) times, with ( order ) extra epilogues.                  */
@@ -153,7 +157,8 @@ void silk_warped_autocorrelation_FIX_neon(
             opus_int o = orderT;
             int32x4_t state_QS_s32x4[ 3 ][ 2 ];
 
-            ALLOC( state, length + orderT, opus_int32 );
+            /* The additional +4 is to ensure a later vld1q_s32 call does not overflow. */
+            ALLOC( state, length + order + 4, opus_int32 );
             state_QS_s32x4[ 2 ][ 1 ] = vdupq_n_s32( 0 );
 
             /* Calculate 8 taps of all inputs in each loop. */
@@ -172,7 +177,7 @@ void silk_warped_autocorrelation_FIX_neon(
                     state_QS_s32x4[ 0 ][ 1 ] = calc_state( state_QS_s32x4[ 0 ][ 1 ], state_QS_s32x4[ 2 ][ 1 ], state_QS_s32x4[ 1 ][ 1 ], warping_Q16_s32x4 );
                     state_QS_s32x4[ 1 ][ 0 ] = state_QS_s32x4[ 2 ][ 0 ];
                     state_QS_s32x4[ 1 ][ 1 ] = state_QS_s32x4[ 2 ][ 1 ];
-                } while( ++n < ( length + order - 3 ) );
+                } while( ++n < ( length + order ) );
                 in = state;
                 o -= 8;
             } while( o > 4 );