Skip to content

USAN: index out of bounds for OMASA JBM decoding to EXT with rate switching

Basic info

Bug description

Clang USAN sanitizer test in pipeline found an error:

lib_dec/ivas_jbm_dec.c:2522:28: runtime error: index 8 out of bounds for type 'int16_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: out-of-bounds-index lib_dec/ivas_jbm_dec.c:2522:28 in

The error happens in frame 4364, this is the code portion:

static void ivas_jbm_dec_tc_buffer_playout(
    Decoder_Struct *st_ivas,
    const uint16_t nSamplesAsked,
    uint16_t *nSamplesRendered,
    float *output[] )
{
    int16_t ch_idx, slot_size, slots_to_render, first_sf, last_sf;

    slot_size = st_ivas->hTcBuffer->n_samples_granularity;

    /* loop for synthesis, assume we always have to render in multiples of 5ms subframes with spills */
    slots_to_render = min( st_ivas->hTcBuffer->num_slots - st_ivas->hTcBuffer->slots_rendered, nSamplesAsked / slot_size );
    st_ivas->hTcBuffer->slots_rendered += slots_to_render;
    *nSamplesRendered = (uint16_t) slots_to_render * slot_size;
    first_sf = st_ivas->hTcBuffer->subframes_rendered;
    last_sf = first_sf;

    while ( slots_to_render > 0 )
    {
        slots_to_render -= st_ivas->hTcBuffer->subframe_nbslots[last_sf]; // <--- this is line that is reported
        last_sf++;
    }

Link to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/278856

Ways to reproduce

Using the scripts:

dly_profile.dat

python3 scripts/IvasBuildAndRunChecks.py --checks CLANG3 -m OMASA_ISM2_2TC_ball_fb_rs -p /path/to/my/local/ci_linux_ltv_local.json --usan_supp_file scripts/ubsan.supp -J dly_profile.dat --oc EXT

or directly:

make clean
make -j CLANG=3
UBSAN_OPTIONS=suppressions=scripts/ubsan.supp,report_error_type=1,log_path=usan_log_catchall ./IVAS_cod -ism_masa 2 2 ltv48_OMASA_2ISM_2TC_ISM1.csv ltv48_OMASA_2ISM_2TC_ISM2.csv ltv48_OMASA_2ISM_2TC.met -max_band fb scripts/switchPaths/sw_13k2_512k.bin 48 ltv48_OMASA_2ISM_2TC.wav bit
networkSimulator_g192 dly_profile.dat bit bit_err trace_dump 1
UBSAN_OPTIONS=suppressions=scripts/ubsan.supp,report_error_type=1,log_path=usan_log_catchall ./IVAS_dec -voip EXT 48 bit_err out.wav
Edited by Jan Kiene