Buffer Overflow in stereo DTX rate switching with frame errors
Basic info
- Commit SHA: latest main 80a428f4
Bug description
Clang asan sanitizer test in pipeline found an error:
=================================================================
==582860==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001486cb2 at pc 0x000000af5290 bp 0x7ffcf2d321f0 sp 0x7ffcf2d321
e8
READ of size 2 at 0x000001486cb2 thread T0
#0 0xaf528f in stereo_dft_dec_sid_coh /local/knj/ivas-codec/lib_dec/ivas_stereo_cng_dec.c:154:21
#1 0x7a0c10 in stereo_dft_dec_read_BS /local/knj/ivas-codec/lib_dec/ivas_stereo_dft_dec.c:2430:9
#2 0xaaa058 in ivas_cpe_dec /local/knj/ivas-codec/lib_dec/ivas_cpe_dec.c:259:17
#3 0x6226df in ivas_jbm_dec_tc /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:125:24
#4 0x4ef5af in IVAS_DEC_GetTcSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1464:24
#5 0x4ed5cc in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1100:32
#6 0x4e1b62 in decodeG192 /local/knj/ivas-codec/apps/decoder.c:2406:28
#7 0x4d2c1d in main /local/knj/ivas-codec/apps/decoder.c:832:17
#8 0x7f6420b72d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#9 0x41f5a9 in _start (/local/knj/ivas-codec/CLANG2/IVAS_dec+0x41f5a9)
0x000001486cb2 is located 46 bytes to the left of global variable 'dft_cng_coh_i2u' defined in 'lib_com/ivas_rom_com.c:811:15' (0x1486ce0) of size 18
0x000001486cb2 is located 0 bytes to the right of global variable 'dft_cng_coh_u2i' defined in 'lib_com/ivas_rom_com.c:809:15' (0x1486ca0) of size 18
SUMMARY: AddressSanitizer: global-buffer-overflow /local/knj/ivas-codec/lib_dec/ivas_stereo_cng_dec.c:154:21 in stereo_dft_dec_sid_coh
Shadow bytes around the buggy address:
0x000080288d40: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080288d50: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x000080288d60: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 f9 f9
0x000080288d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080288d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
=>0x000080288d90: f9 f9 f9 f9 00 00[02]f9 f9 f9 f9 f9 00 00 02 f9
0x000080288da0: f9 f9 f9 f9 00 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x000080288db0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x000080288dc0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
0x000080288dd0: 00 06 f9 f9 00 04 f9 f9 00 02 f9 f9 00 02 f9 f9
0x000080288de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==582860==ABORTING
Input bitstream file: /local/knj/ivas-codLink to test pipeline: https://forge.3gpp.org/rep/ivas-codec-pc/ivas-codec/-/jobs/173926
Ways to reproduce
Error pattern: ep_015.g192
Using the scripts:
python3 scripts/IvasBuildAndRunChecks.py --checks CLANG2 -m stereo_b24_64_dtx_swb_rs -p /path/to/my/local/ci_linux_ltv_local.json -f ep_015.g192