ASAN: stack-buffer-overflow in OSBA_ISM1_PlanarFOA decoding to BINAURAL
Basic info
- Commit SHA: 3a0ecd3b
Bug description
Clang asan sanitizer test in pipeline found an error:
==1215143==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff1a946e20 at pc 0x0000006f4d92 bp 0x7fff1a940b70 sp 0x7fff1a940b68
READ of size 8 at 0x7fff1a946e20 thread T0
#0 0x6f4d91 in ivas_sba_dec_render /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_sba_dec.c:805:30
#1 0x69c008 in ivas_osba_dirac_td_binaural_jbm /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_osba_dec.c:148:20
#2 0x610d68 in ivas_jbm_dec_flush_renderer /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_jbm_dec.c:1786:28
#3 0x6ecdee in ivas_sba_dec_reconfigure /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_sba_dec.c:230:28
#4 0x5b73da in ivas_dec_setup /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_init_dec.c:506:32
#5 0x4ee40d in IVAS_DEC_Setup /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/lib_dec.c:1363:28
#6 0x4ed01f in IVAS_DEC_GetSamples /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/lib_dec.c:936:28
#7 0x4f8fa3 in IVAS_DEC_VoIP_GetSamples /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/lib_dec.c:2812:28
#8 0x4daa84 in decodeVoIP /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/apps/decoder.c:3284:24
#9 0x4d29a4 in main /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/apps/decoder.c:862:17
#10 0x7f8a2d675d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7f8a2d675e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x41f594 in _start (/home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/CLANG2/IVAS_dec+0x41f594)
Address 0x7fff1a946e20 is located in stack of thread T0 at offset 15776 in frame
#0 0x60dcef in ivas_jbm_dec_flush_renderer /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_jbm_dec.c:1583
This frame has 5 object(s):
[32, 15392) 'output' (line 1589)
[15648, 15776) 'p_output' (line 1590) <== Memory access at offset 15776 overflows this variable
[15808, 15904) 'tc_local' (line 1724)
[15936, 16032) 'tc_local246' (line 1752)
[16064, 16066) 'nSamplesAvailableNext' (line 1755)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/gitlab-runner/builds/jtzTJMmS/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_sba_dec.c:805:30 in ivas_sba_dec_render
Shadow bytes around the buggy address:
0x100063520d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063520d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063520d90: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x100063520da0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x100063520db0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100063520dc0: 00 00 00 00[f2]f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
0x100063520dd0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x100063520de0: 00 00 00 00 f2 f2 f2 f2 02 f3 f3 f3 00 00 00 00
0x100063520df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063520e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063520e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1215143==ABORTINGLink to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/224449
Ways to reproduce
Using the scripts:
python3 scripts/IvasBuildAndRunChecks.py --checks CLANG2 -m OSBA_ISM1_PlanarFOA_ball_fb_rs -p /path/to/my/local/ci_linux_ltv_local.json --usan_supp_file scripts/ubsan.supp -J dly_profile.dator directly:
make clean
make -j CLANG=2
./IVAS_cod -ism_sba 1 -1 NULL -max_band fb scripts/switchPaths/sw_13k2_512k.bin 48 ltv48_OSBA_1ISM_FOA.wav bit
networkSimulator_g192 dly_profile.dat bit bit_err trace_dump 1
./IVAS_dec -VOIP BINAURAL 48 bit_err out.wav