Skip to content

ASAN: crash due to heap-use-after-free in HRTF loading with BINAURAL_ROOM_IR

Basic info

  • Fixed point:

Bug description

There is still a bug in one of the HRTF loading testcases which causes the BASOP decoder to crash. runnign with Clang ASAN reveals a heap-use-after-free:

==66877==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c000010e20 at pc 0x000100c15ee0 bp 0x00016f8bc4f0 sp 0x00016f8bc4e8
READ of size 2 at 0x61c000010e20 thread T0
    #0 0x000100c15edc in ivas_rend_crendConvolver_fx ivas_crend_fx.c:2296
    #1 0x000100c1504c in ivas_rend_crendProcessSubframe_fx ivas_crend_fx.c:2843
    #2 0x0001008a1d20 in ivas_jbm_dec_render_fx ivas_jbm_dec_fx.c:2088
    #3 0x000100b093a4 in IVAS_DEC_GetRenderedSamples lib_dec_fx.c:1889
    #4 0x000100b05da8 in IVAS_DEC_GetSamples lib_dec_fx.c:1278
    #5 0x00010052b0cc in decodeG192 decoder.c:2283
    #6 0x00010051eb54 in main decoder.c:749
    #7 0x00018b44eb94  (<unknown module>)

0x61c000010e20 is located 1440 bytes inside of 1800-byte region [0x61c000010880,0x61c000010f88)
freed by thread T0 here:
    #0 0x0001020c5400 in free+0x7c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d400)
    #1 0x000100ce22a8 in ivas_HRTF_CRend_binary_close_fx ivas_hrtf_fx.c:215
    #2 0x000100b12acc in IVAS_DEC_HRTF_binary_close lib_dec_fx.c:2782
    #3 0x00010052e890 in load_hrtf_from_file decoder.c:3375
    #4 0x00010052af44 in decodeG192 decoder.c:2261
    #5 0x00010051eb54 in main decoder.c:749
    #6 0x00018b44eb94  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x0001020c530c in malloc+0x78 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d30c)
    #1 0x000100ce199c in ivas_HRTF_CRend_binary_open_fx ivas_hrtf_fx.c:99
    #2 0x000100b125dc in IVAS_DEC_HRTF_binary_open lib_dec_fx.c:2704
    #3 0x00010052e8bc in load_hrtf_from_file decoder.c:3384
    #4 0x00010052af44 in decodeG192 decoder.c:2261
    #5 0x00010051eb54 in main decoder.c:749
    #6 0x00018b44eb94  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ivas_crend_fx.c:2296 in ivas_rend_crendConvolver_fx
Shadow bytes around the buggy address:
  0x61c000010b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x61c000010e00: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61c000010f80: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61c000011000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61c000011080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==66877==ABORTING
fish: Job 1, './IVAS_dec -hrtf ../ivas-codec/…' terminated by signal SIGABRT (Abort)

Ways to reproduce

Run the testcase "tests/codec_be_on_mr_nonselection/test_param_file.py::test_param_file_tests[stv-4 ISM w and wo md br switching 24.4 kbps to 256 kbps, 48 kHz in, 48 kHz out, DTX on, BINAURAL_ROOM_IR out (Model from file)]" or:

bit

/IVAS_dec -hrtf scripts/binauralRenderer_interface/binaural_renderers_hrtf_data/ivas_binaural_48kHz.bin BINAURAL_ROOM_IR 48 bit out.wav