Crash in planar FOA decoding with JBM caused by uninitialized value
Decoder crashes for planar FOA when JBM is used.
How to reproduce:
- Get the `ltv16_FOA.wav` vector from https://forge.3gpp.org/rep/ivas-codec-pc/ivas-pc-testfiles/-/tree/knj/tmp-branch-with-shortened-files?ref_type=heads (NOTE: this is a 1s shortened version of the usual ltv FOA testvector resampled to 16kHz)
- `./IVAS_cod -sba -1 512000 16 ltv16_FOA.wav bit`
- `scripts/tools/Linux/networkSimulator_g192 scripts/dly_error_profiles/dly_error_profile_5.dat bit bit_jbm tracefile 2 0`
- `./IVAS_dec -VOIP FOA 16 bit_jbm out.wav`
Result:
```
fish: “./IVAS_dec -VOIP FOA 16 bit_fro…” terminated by signal SIGSEGV (Address boundary error)
```
When building the codec with `make CLANG=1`, one gets this output, which might hint at the actual problem:
```
==================================================================================================
IVAS Codec Baseline
Based on EVS Codec (Floating Point) 3GPP TS26.443 Nov 04, 2021,
Version 12.14.0 / 13.10.0 / 14.6.0 / 15.4.0 / 16.3.0
==================================================================================================
Input bitstream file: bit_from_pytest
Output synthesis file: out_from_pytest.wav
Output sampling rate: 16000 Hz
Input configuration: Scene Based Audio, Ambisonic order 1 (Planar), 4 transport channel(s)
Output configuration: Ambisonics: First Order (FOA)
TSM mode: ON
API 5ms mode: ON
------ Running the decoder ------
==202122==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x70c354 in ivas_jbm_dec_copy_tc /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1836:64
#1 0x7093eb in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:682:9
#2 0x4cdc60 in IVAS_DEC_RendererFeedTcSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1279:20
#3 0x4c98b8 in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:893:32
#4 0x4dac46 in IVAS_DEC_VoIP_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:2417:28
#5 0x4b16b5 in decodeVoIP /local/knj/ivas-codec/apps/decoder.c:3034:24
#6 0x4a4fbb in main /local/knj/ivas-codec/apps/decoder.c:794:17
#7 0x7f622f9e7d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#8 0x421549 in _start (/local/knj/ivas-codec/IVAS_dec+0x421549)
SUMMARY: MemorySanitizer: use-of-uninitialized-value /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1836:64 in ivas_jbm_dec_copy_tc
Exiting
```
And this is what asan says:
```
==218060==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed5b64540 at pc 0x000000663de4 bp 0x7ffed5b5c8c0 sp 0x7ffed5b5c8b8
READ of size 8 at 0x7ffed5b64540 thread T0
#0 0x663de3 in ivas_jbm_dec_copy_tc /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1833:39
#1 0x6620a6 in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:682:9
#2 0x4ec53c in IVAS_DEC_RendererFeedTcSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:1279:20
#3 0x4ea613 in IVAS_DEC_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:893:32
#4 0x4f529e in IVAS_DEC_VoIP_GetSamples /local/knj/ivas-codec/lib_dec/lib_dec.c:2417:28
#5 0x4daf2c in decodeVoIP /local/knj/ivas-codec/apps/decoder.c:3034:24
#6 0x4d2980 in main /local/knj/ivas-codec/apps/decoder.c:794:17
#7 0x7f89b5424d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#8 0x41f5a9 in _start (/local/knj/ivas-codec/IVAS_dec+0x41f5a9)
Address 0x7ffed5b64540 is located in stack of thread T0 at offset 31040 in frame
#0 0x661cbf in ivas_jbm_dec_feed_tc_to_renderer /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:664
This frame has 2 object(s):
[32, 30752) 'data_f' (line 666)
[31008, 31040) 'p_data_f' (line 667) <== Memory access at offset 31040 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /local/knj/ivas-codec/lib_dec/ivas_jbm_dec.c:1833:39 in ivas_jbm_dec_copy_tc
Shadow bytes around the buggy address:
0x10005ab64850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab64860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab64870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab64880: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10005ab64890: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x10005ab648a0: f2 f2 f2 f2 00 00 00 00[f3]f3 f3 f3 00 00 00 00
0x10005ab648b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab648c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab648d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab648e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005ab648f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==218060==ABORTING
```
<!--- Below are labels that will be added but are not shown in description. This is a template to help fill them.
Add further information to the first row and remove and add labels as necessary. -->
issue