Crash in planar FOA decoding with JBM caused by uninitialized value

Decoder crashes for planar FOA when JBM is used.

How to reproduce:

Get the ltv16_FOA.wav vector from https://forge.3gpp.org/rep/ivas-codec-pc/ivas-pc-testfiles/-/tree/knj/tmp-branch-with-shortened-files?ref_type=heads (NOTE: this is a 1s shortened version of the usual ltv FOA testvector resampled to 16kHz)
./IVAS_cod -sba -1 512000 16 ltv16_FOA.wav bit
scripts/tools/Linux/networkSimulator_g192 scripts/dly_error_profiles/dly_error_profile_5.dat bit bit_jbm tracefile 2 0
./IVAS_dec -VOIP FOA 16 bit_jbm out.wav

Result:

fish: “./IVAS_dec -VOIP FOA 16 bit_fro…” terminated by signal SIGSEGV (Address boundary error)

When building the codec with make CLANG=1, one gets this output, which might hint at the actual problem:

==================================================================================================
 IVAS Codec Baseline
 
 Based on EVS Codec (Floating Point) 3GPP TS26.443 Nov 04, 2021,
 Version 12.14.0 / 13.10.0 / 14.6.0 / 15.4.0 / 16.3.0
==================================================================================================

Input bitstream file:   bit_from_pytest
Output synthesis file:  out_from_pytest.wav

Output sampling rate:   16000 Hz
Input configuration:    Scene Based Audio, Ambisonic order 1 (Planar), 4 transport channel(s)
Output configuration:   Ambisonics: First Order (FOA)
TSM mode:              ON
API 5ms mode:          ON

------ Running the decoder ------

==202122==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x70c354 in ivas_jbm_dec_copy_tc /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1836:64
    #1 0x7093eb in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:682:9
    #2 0x4cdc60 in IVAS_DEC_RendererFeedTcSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1279:20
    #3 0x4c98b8 in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:893:32
    #4 0x4dac46 in IVAS_DEC_VoIP_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:2417:28
    #5 0x4b16b5 in decodeVoIP /local/knj/ivas-codec/apps/decoder.c:3034:24
    #6 0x4a4fbb in main /local/knj/ivas-codec/apps/decoder.c:794:17
    #7 0x7f622f9e7d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #8 0x421549 in _start (/local/knj/ivas-codec/IVAS_dec+0x421549)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1836:64 in ivas_jbm_dec_copy_tc
Exiting

And this is what asan says:

==218060==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed5b64540 at pc 0x000000663de4 bp 0x7ffed5b5c8c0 sp 0x7ffed5b5c8b8
READ of size 8 at 0x7ffed5b64540 thread T0
    #0 0x663de3 in ivas_jbm_dec_copy_tc /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1833:39
    #1 0x6620a6 in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:682:9
    #2 0x4ec53c in IVAS_DEC_RendererFeedTcSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1279:20
    #3 0x4ea613 in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:893:32
    #4 0x4f529e in IVAS_DEC_VoIP_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:2417:28
    #5 0x4daf2c in decodeVoIP /local/knj/ivas-codec/apps/decoder.c:3034:24
    #6 0x4d2980 in main /local/knj/ivas-codec/apps/decoder.c:794:17
    #7 0x7f89b5424d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #8 0x41f5a9 in _start (/local/knj/ivas-codec/IVAS_dec+0x41f5a9)

Address 0x7ffed5b64540 is located in stack of thread T0 at offset 31040 in frame
    #0 0x661cbf in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:664

  This frame has 2 object(s):
    [32, 30752) 'data_f' (line 666)
    [31008, 31040) 'p_data_f' (line 667) <== Memory access at offset 31040 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1833:39 in ivas_jbm_dec_copy_tc
Shadow bytes around the buggy address:
  0x10005ab64850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab64860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab64870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab64880: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10005ab64890: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x10005ab648a0: f2 f2 f2 f2 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x10005ab648b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab648c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab648d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab648e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005ab648f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==218060==ABORTING

Edited Sep 06, 2023 by Jan Kiene