Skip to content

Sanitizer errors in ParamMC SVD function

Basic info

  • Commit SHA: Found at 143a5ccc, but still there in current master
  • Platform: Found on Linux, probably everywhere

Bug description

There are memory and address errors found in ParamMC 5.1 WB decoding. It may be that one of them is the cause of the other.

Memory sanitizer:

==================================================================================================
 IVAS Codec Baseline

 Based on EVS Codec (Floating Point) 3GPP TS26.443 Nov 04, 2021,
 Version 12.14.0 / 13.10.0 / 14.6.0 / 15.4.0 / 16.3.0
==================================================================================================

Input bitstream file:   bit_cut
Output synthesis file:  out.wav

Output sampling rate:   16000 Hz
Bitrate:                48.00 kbps
Input configuration:    Multichannel 5.1 (CICP6)
Output configuration:   Multichannel 5.1 (CICP6)

------ Running the decoder ------

Frames processed:       5055    ==1644649==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xc934f5 in flushToZeroMat /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:913:18
    #1 0xc91726 in svd /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:217:5
    #2 0xc3955f in computeMixingMatrices /local/knj/ivas-codec/lib_dec/ivas_dirac_output_synthesis_cov.c:582:9
    #3 0x6e34f2 in ivas_param_mc_get_mixing_matrices /local/knj/ivas-codec/lib_dec/ivas_mc_param_dec.c:1612:13
    #4 0x6db727 in ivas_param_mc_dec /local/knj/ivas-codec/lib_dec/ivas_mc_param_dec.c:937:9
    #5 0x5b334f in ivas_dec /local/knj/ivas-codec/lib_dec/ivas_dec.c:442:17
    #6 0x4b104e in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:649:24
    #7 0x4a5cf2 in decodeG192 /local/knj/ivas-codec/apps/decoder.c:1249:24
    #8 0x49aeb2 in main /local/knj/ivas-codec/apps/decoder.c:522:17
    #9 0x7f4be7461d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #10 0x41f5a9 in _start (/local/knj/ivas-codec/IVAS_dec+0x41f5a9)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:913:18 in flushToZeroMat
Exiting

Address sanitizer:

==================================================================================================
 IVAS Codec Baseline

 Based on EVS Codec (Floating Point) 3GPP TS26.443 Nov 04, 2021,
 Version 12.14.0 / 13.10.0 / 14.6.0 / 15.4.0 / 16.3.0
==================================================================================================

Input bitstream file:   bit_cut
Output synthesis file:  out.wav

Output sampling rate:   16000 Hz
Bitrate:                48.00 kbps
Input configuration:    Multichannel 5.1 (CICP6)
Output configuration:   Multichannel 5.1 (CICP6)

------ Running the decoder ------

Frames processed:       5055    =================================================================
==1651627==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd6255cac at pc 0x000000a78fc3 bp 0x7fffd6254db0 sp 0x7fffd6254da8
READ of size 4 at 0x7fffd6255cac thread T0
    #0 0xa78fc2 in BidagonalDiagonalisation /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:305:29
    #1 0xa77a4c in svd /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:221:20
    #2 0xa3c818 in computeMixingMatrices /local/knj/ivas-codec/lib_dec/ivas_dirac_output_synthesis_cov.c:472:5
    #3 0x695dcb in ivas_param_mc_get_mixing_matrices /local/knj/ivas-codec/lib_dec/ivas_mc_param_dec.c:1612:13
    #4 0x68fd6a in ivas_param_mc_dec /local/knj/ivas-codec/lib_dec/ivas_mc_param_dec.c:937:9
    #5 0x5c241a in ivas_dec /local/knj/ivas-codec/lib_dec/ivas_dec.c:442:17
    #6 0x50ad19 in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:649:24
    #7 0x5040c7 in decodeG192 /local/knj/ivas-codec/apps/decoder.c:1249:24
    #8 0x4fc375 in main /local/knj/ivas-codec/apps/decoder.c:522:17
    #9 0x7fa7cf766d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #10 0x41e609 in _start (/local/knj/ivas-codec/IVAS_dec+0x41e609)

Address 0x7fffd6255cac is located in stack of thread T0 at offset 2348 in frame
    #0 0xa3c04f in computeMixingMatrices /local/knj/ivas-codec/lib_dec/ivas_dirac_output_synthesis_cov.c:431

  This frame has 14 object(s):
    [32, 36) 'limit' (line 440)
    [48, 1072) 'svd_in_buffer' (line 441)
    [1200, 2224) 'svd_u_buffer' (line 442)
    [2352, 2416) 'svd_s_buffer' (line 443) <== Memory access at offset 2348 underflows this variable
    [2448, 3472) 'svd_v_buffer' (line 444)
    [3600, 4176) 'Kx' (line 445)
    [4304, 5328) 'Ky' (line 446)
    [5456, 6032) 'Kx_reg_inv' (line 447)
    [6160, 7184) 'Q_Cx' (line 448)
    [7312, 7376) 'Cy_hat_diag' (line 449)
    [7408, 7472) 'G_hat' (line 450)
    [7504, 8528) 'mat_mult_buffer1' (line 451)
    [8656, 9680) 'mat_mult_buffer2' (line 452)
    [9808, 10832) 'mat_mult_buffer3' (line 453)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /local/knj/ivas-codec/lib_dec/ivas_svd_dec.c:305:29 in BidagonalDiagonalisation
Shadow bytes around the buggy address:
  0x10007ac42b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42b80: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x10007ac42b90: f2 f2 f2 f2 f2[f2]00 00 00 00 00 00 00 00 f2 f2
  0x10007ac42ba0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ac42be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1651627==ABORTING

Ways to reproduce

Problematic bitstream is attached below.

make clean
make -j CLANG=1 # CLANG=2 for address sanitizer

./IVAS_dec 5_1 16 bit_cut out.wav

bit_cut