Skip to content

Stack-buffer-overflow in MDCT-Stereo PLC if ch0 has TD-PLC and ch1 has FD-PLC with prior TCX10 framing

Basic info

  • Commit SHA: eb7d0087 (or latest main)
  • Platform: all

Bug description

In MDCT-Stereo, when concealing a lost frame, there can be an out of bounds write if one channel is concealed with TD-PLC (one subframe) and the other is concealed with FD-PLC with the last good frame being a TCX10 frame (2 subframes). In lib_dec/ivas_stereo_mdct_stereo_dec.c, function stereo_decoder_tcx(), channels are scaled according to the decoded ILD value (for bad frames it is the one from the last good frame). This function is entered for bfi frames if at least one of the channels is concealed with FD-PLC. In this particular case, the FD-PLC frame is scaled (with frame length 960), but since the other channel is TCX10, the scaling loop is run twice (for two subframes), thus scaling the TD-PLC channel twice, once starting from the beginning of the buffer and second starting from the middle, which leads to an out-of-bounds write.

Ways to reproduce

ep_015.192

./scripts/IvasBuildAndRunChecks.py -p ~/ivas-script-configs/ci_linux_ltv_local.json --checks CLANG2 -m stereo_b80_dtx_fb_cbr -f ep_015.192