Heap buffer overflow error in SBA to stereo decoding af 512kbps
Basic info
- Commit SHA: 57da6177
Bug description
Clang asan sanitizer test in pipeline found an error:
=================================================================
==389056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000100 at pc 0x0000007b067d bp 0x7ffc0f2cdf40 sp 0x7ffc0f2cdf38
READ of size 4 at 0x604000000100 thread T0
#0 0x7b067c in ivas_sba_dirac_stereo_smooth_parameters /local/knj/ivas-codec2/lib_dec/ivas_sba_dirac_stereo_dec.c:789:66
#1 0x80707f in stereo_dft_dec /local/knj/ivas-codec2/lib_dec/ivas_stereo_dft_dec.c:1208:13
#2 0x7b1f5b in ivas_sba_dirac_stereo_dec /local/knj/ivas-codec2/lib_dec/ivas_sba_dirac_stereo_dec.c:881:5
#3 0x6133ba in ivas_dec /local/knj/ivas-codec2/lib_dec/ivas_dec.c:449:13
#4 0x51713d in IVAS_DEC_GetSamples /local/knj/ivas-codec2/lib_dec/lib_dec.c:863:24
#5 0x50e692 in decodeG192 /local/knj/ivas-codec2/apps/decoder.c:1752:24
#6 0x4fd7de in main /local/knj/ivas-codec2/apps/decoder.c:631:17
#7 0x7fd2f0afdd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#8 0x41e609 in _start (/local/knj/ivas-codec2/CLANG2/IVAS_dec+0x41e609)
0x604000000100 is located 0 bytes to the right of 48-byte region [0x6040000000d0,0x604000000100)
allocated by thread T0 here:
#0 0x4c9fb3 in malloc /local1/bnd/llvm-8.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7dd82d in ivas_spar_md_dec_matrix_open /local/knj/ivas-codec2/lib_dec/ivas_spar_md_dec.c:154:56
#2 0x7dd021 in ivas_spar_md_dec_open /local/knj/ivas-codec2/lib_dec/ivas_spar_md_dec.c:337:20
#3 0x7c8625 in ivas_spar_dec_open /local/knj/ivas-codec2/lib_dec/ivas_spar_decoder.c:126:20
#4 0x69a79e in ivas_init_decoder /local/knj/ivas-codec2/lib_dec/ivas_init_dec.c:924:32
#5 0x694e36 in ivas_dec_setup /local/knj/ivas-codec2/lib_dec/ivas_init_dec.c:315:24
#6 0x60f2a5 in ivas_dec /local/knj/ivas-codec2/lib_dec/ivas_dec.c:90:24
#7 0x51713d in IVAS_DEC_GetSamples /local/knj/ivas-codec2/lib_dec/lib_dec.c:863:24
#8 0x50e692 in decodeG192 /local/knj/ivas-codec2/apps/decoder.c:1752:24
#9 0x4fd7de in main /local/knj/ivas-codec2/apps/decoder.c:631:17
#10 0x7fd2f0afdd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-buffer-overflow /local/knj/ivas-codec2/lib_dec/ivas_sba_dirac_stereo_dec.c:789:66 in ivas_sba_dirac_stereo_smooth_parameters
Shadow bytes around the buggy address:
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04
0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fff8020:[fa]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8030: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8040: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==389056==ABORTINGLink to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/85718
Ways to reproduce
Using the scripts:
python3 scripts/IvasBuildAndRunChecks.py --checks CLANG2 -m SBA_b512_fb_cbr -p /path/to/my/local/ci_linux_ltv_local.jsonor directly:
make clean
make -j CLANG=2
./IVAS_cod -sba 3 -max_band fb 512000 48 ltv48_HOA3.wav bit
./IVAS_dec stereo 48 bit out.wav