ASAN: stack-buffer-underflow in ivas_td_decorr_process for OSBA rate switching + JBM

Basic info

Commit SHA:3d8045a9

Bug description

Clang ASAN sanitizer test in pipeline found an error:

==411436==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffcdcf5eda0 at pc 0x000000e24b0d bp 0x7ffcdcf5bbc0 sp 0x7ffcdcf5bbb8
READ of size 4 at 0x7ffcdcf5eda0 thread T0
    #0 0xe24b0c in mvr2r /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_com/tools.c:330:20
    #1 0xe2a218 in delay_signal /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_com/tools.c:1776:5
    #2 0xa0f16d in ivas_td_decorr_process /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_rend/ivas_td_decorr.c:474:5
    #3 0x813a09 in ivas_spar_dec_digest_tc /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_spar_decoder.c:1330:17
    #4 0x7ed5a1 in ivas_sba_dec_digest_tc /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_sba_dec.c:672:9
    #5 0x708dc1 in ivas_dec_prepare_renderer /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_jbm_dec.c:2896:13
    #6 0x500fe8 in IVAS_DEC_PrepareRenderer /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/lib_dec.c:1603:5
    #7 0x512264 in IVAS_DEC_VoIP_GetSamples /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/lib_dec.c:3686:32
    #8 0x4dc3d6 in decodeVoIP /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/apps/decoder.c:3362:28
    #9 0x4d2c94 in main /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/apps/decoder.c:783:17
    #10 0x7f5f20672d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #11 0x7f5f20672e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #12 0x41f5a4 in _start (/home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/CLANG2/IVAS_dec+0x41f5a4)

Address 0x7ffcdcf5eda0 is located in stack of thread T0 at offset 0 in frame
    #0 0x81311f in ivas_spar_dec_digest_tc /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_dec/ivas_spar_decoder.c:1291

  This frame has 3 object(s):
    [32, 42272) 'Pcm_tmp' (line 1297)
    [42528, 42616) 'pPcm_tmp' (line 1298)
    [42656, 42744) 'p_tc' (line 1299)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /home/gitlab-runner/builds/EDkAKxT6/0/rep/ivas-codec-pc/ivas-codec/lib_com/tools.c:330:20 in mvr2r
Shadow bytes around the buggy address:
  0x10001b9e3d60: 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10001b9e3d70: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001b9e3db0: 00 00 00 00[f1]f1 f1 f1 00 00 00 00 00 00 00 00
  0x10001b9e3dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001b9e3e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==411436==ABORTING

Link to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/374363#L121

Ways to reproduce

Artifacts from the pipeline containing necessary files:

sanitizer-test-osba-foa-ism2--main--sha-3d8045a9.zip

Using the scripts:

python3 scripts/IvasBuildAndRunChecks.py --checks CLANG2 -m OSBA_ISM2_PlanarFOA_ball_swb_rs -p /path/to/my/local/ci_linux_ltv_local.json -J dly_profile.dat -D="-T ./head_rot.traj.csv -exof ./exof_traj.csv"

or directly:

make clean
make -j CLANG=2
./IVAS_cod -ism_sba 2 -1 NULL NULL -max_band swb scripts/switchPaths/sw_13k2_512k.bin 32 ltv32_OSBA_2ISM_FOA.wav bit
networkSimulator_g192 dly_profile.dat bit bit_err trace_dump 1
./IVAS_dec -Tracefile ltv48_OSBA_2ISM_FOA_OSBA_ISM2_PlanarFOA_ball_swb_rs_jbm_dly_profile_dat.dec.BINAURAL.wav.tracefile_dec -VOIP -T ./head_rot_traj.csv -exof ./exof_traj.csv BINAURAL 32 bit out.wav

Edited Jan 28, 2025 by Jan Kiene

Admin message

ASAN: stack-buffer-underflow in ivas_td_decorr_process for OSBA rate switching + JBM

Basic info

Bug description

Ways to reproduce