Skip to content

USAN: applying non-zero offset to null pointer in EVS TCX decoding with frameloss

Basic info

Bug description

Clang USAN sanitizer test in pipeline found an error:

lib_dec/dec_tcx.c:753:16: runtime error: applying non-zero offset 4 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset lib_dec/dec_tcx.c:753:16 in
lib_dec/dec_LPD.c:608:25: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset lib_dec/dec_LPD.c:608:25 in 

For the first one, this is the line of code that is reported:

    prm_ltp = &prm[1 + NOISE_FILL_RANGES];

The error is detected in frame 13 which is a lost frame (st->bfi = 1). prm seems to be NULL in this case. In practice, this should not be a problem as no parameters are read from a bitstream for st->bfi == 1. So this could probably be safely ignored. A fix would add ifs around the assignment and all subsequent assignments from prm or prm_ltp or other variables that get assigned from them - those are quite a lot, so would clutter the code a bit.

For the second one:

            prm = param + ( k * DEC_NPRM_DIV );

Same thing happening, this time in frame 1106. Frame is lost, param is NULL. Same options for handling.

Link to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/234373

Ways to reproduce

Using the scripts:

python3 scripts/IvasBuildAndRunChecks.py --checks CLANG3 -m mono_b128_swb_cbr -p /path/to/my/local/ci_linux_ltv_local.json --usan_supp_file scripts/ubsan.supp

or directly:

dly_profile.dat

make clean
make -j CLANG=3
./IVAS_cod 128000 32 ltv32_STEREO.wav bit
networkSimulator_g192 dly_profile.dat bit bit_err trace_dump 1
./IVAS_dec -voip 32 bit_err out.wav
Edited by Jan Kiene