Stack-buffer-overflow in MDCT-Stereo PLC if ch0 has TD-PLC and ch1 has FD-PLC with prior TCX10 framing
Basic info
- Commit SHA: eb7d0087 (or latest main)
- Platform: all
Bug description
In MDCT-Stereo, when concealing a lost frame, there can be an out of bounds write if one channel is concealed with TD-PLC (one subframe) and the other is concealed with FD-PLC with the last good frame being a TCX10 frame (2 subframes). In lib_dec/ivas_stereo_mdct_stereo_dec.c, function stereo_decoder_tcx(), channels are scaled according to the decoded ILD value (for bad frames it is the one from the last good frame). This function is entered for bfi frames if at least one of the channels is concealed with FD-PLC. In this particular case, the FD-PLC frame is scaled (with frame length 960), but since the other channel is TCX10, the scaling loop is run twice (for two subframes), thus scaling the TD-PLC channel twice, once starting from the beginning of the buffer and second starting from the middle, which leads to an out-of-bounds write.
Ways to reproduce
./scripts/IvasBuildAndRunChecks.py -p ~/ivas-script-configs/ci_linux_ltv_local.json --checks CLANG2 -m stereo_b80_dtx_fb_cbr -f ep_015.192