Decoder crash with cut bit stream
Basic info
- Float reference:
- Encoder (float): 53594392
- Decoder (float):
- Fixed point:
- Encoder (fixed):
- Decoder (fixed): c93084e6
Bug description
In a situation of mode switching the decoder accesses not allocated memory.
Ways to reproduce
The +10 dB test case stereo_at_48_kbps_48_kHz_in_48_kHz_out_DTX_on_bandwidth_switching was used as original bit stream, encoded with the float update encoder. From this 20 frames were extracted from frame 700. The result caused a crash in both float and basop decoder. The problem seems to be in the control code which is the same for all decoder versions.
Bit Stream:
# Command which was used for cutting
./scripts/cut_bs.py --frame 700 --length 20 ../stvST48n+10dB.wav_stereo_at_48_kbps_48_kHz_in_48_kHz_out_DTX_on_bandwidth_switching.192 problem.192
# Decoder command that crashes
./IVAS_dec -fr 20 STEREO 48 problem.192 problem.wav
==================================================================================================
IVAS Codec BASOP Baseline
Based on EVS Codec (Floating Point) 3GPP TS26.443 Nov 04, 2021,
Version 12.14.0 / 13.10.0 / 14.6.0 / 15.4.0 / 16.3.0
==================================================================================================
Input bitstream file: problem.192
Output synthesis file: problem.wav
Output sampling rate: 48000 Hz
Output configuration: Stereo
------ Running the decoder ------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31227==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001003479a0 bp 0x00016fb4f390 sp 0x00016fb4e580 T0)
==31227==The signal is caused by a READ memory access.
==31227==Hint: address points to the zero page.
#0 0x1003479a0 in core_switch_lb_upsamp_fx core_switching_dec_fx.c:2020
#1 0x100340dec in core_switching_post_dec_ivas_fx core_switching_dec_fx.c:1489
#2 0x10059c0ec in ivas_core_dec_fx ivas_core_dec_fx.c:915
#3 0x1005b8594 in ivas_cpe_dec_fx ivas_cpe_dec_fx.c:596
#4 0x10067b828 in ivas_jbm_dec_tc_fx ivas_jbm_dec_fx.c:162
#5 0x100964fe0 in IVAS_DEC_GetTcSamples lib_dec_fx.c:1426
#6 0x10095f428 in IVAS_DEC_GetSamples lib_dec_fx.c:1071
#7 0x100282ee0 in decodeG192 decoder.c:1684
#8 0x1002764bc in main decoder.c:577
#9 0x18c13ab48 (<unknown module>)
==31227==Register values:
x[0] = 0x000000016fb4eb50 x[1] = 0x0000000000000000 x[2] = 0x000000000000003c x[3] = 0x000000702df89d48
x[4] = 0x000000702df89d80 x[5] = 0x00000000000003c0 x[6] = 0x0000000000000000 x[7] = 0x0000000000000000
x[8] = 0x0000007000020000 x[9] = 0x0000000000000000 x[10] = 0x0000000000002f48 x[11] = 0x00000000000001e0
x[12] = 0x00000000000000f0 x[13] = 0x000000016fb4e580 x[14] = 0x000000016fb4f260 x[15] = 0x000000010550bfec
x[16] = 0x000000018c512f80 x[17] = 0x00000001024245e8 x[18] = 0x0000000000000000 x[19] = 0x000000016fb4ece0
x[20] = 0x00000001fb130018 x[21] = 0x000000016fb8f348 x[22] = 0x0fffffff0009d01e x[23] = 0x00000001fb130018
x[24] = 0x00000001fb130150 x[25] = 0x000000016fb8f4b0 x[26] = 0x0000000000000000 x[27] = 0x0000000000000000
x[28] = 0x0000000000000000 fp = 0x000000016fb4f390 lr = 0x00000001003478e8 sp = 0x000000016fb4e580
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV core_switching_dec_fx.c:2020 in core_switch_lb_upsamp_fx
==31227==ABORTING
Frames processed: Abort trap: 6