ASAN: stack-buffer-overflow in lib_com/preemph_fx.c:91:14

Basic Info

• Commit SHA: 187213dc

Bug description

ASAN found an stack-buffer-overflow error at lib_com/preemph_fx.c:91:14:

==20081==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd68dce968 at pc 0x00000117acb8 bp 0x7ffd68dccc30 sp 0x7ffd68dccc28
WRITE of size 4 at 0x7ffd68dce968 thread T0
#0 0x117acb7 in preemph_copy_32fx2 /builds/rep/sa4/audio/ivas-basop/lib_com/preemph_fx.c:91:14
#1 0xafea9a in ivas_compute_core_buffers_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_core_pre_proc_fx.c:1107:13
#2 0xaf9a5a in pre_proc_ivas_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_core_pre_proc_fx.c:618:9
#3 0xacfb6f in ivas_core_enc_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_core_enc_fx.c:238:9
#4 0xb228c7 in ivas_cpe_enc_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_cpe_enc_fx.c:1283:5
#5 0x58464c in ivas_enc_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_enc_fx.c:180:9
#6 0x4eb183 in IVAS_ENC_EncodeFrameToSerial /builds/rep/sa4/audio/ivas-basop/lib_enc/lib_enc_fx.c:1502:13
#7 0x4d53e1 in main /builds/rep/sa4/audio/ivas-basop/apps/encoder.c:877:28
#8 0x7fca22b79d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x7fca22b79e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#10 0x41f3c4 in _start (/builds/rep/sa4/audio/ivas-basop/IVAS_cod+0x41f3c4)

Address 0x7ffd68dce968 is located in stack of thread T0 at offset 7272 in frame
#0 0xafaf5f in ivas_compute_core_buffers_fx /builds/rep/sa4/audio/ivas-basop/lib_enc/ivas_core_pre_proc_fx.c:765

This frame has 12 object(s):
[32, 122) 'temp1F_icatdmResampBuf_fx' (line 768)
[160, 340) 'mem_decim16k_dummy_fx' (line 769)
[416, 4256) 'input_buf_fx' (line 769)
[4384, 5024) 'new_inp_resamp16k_fx' (line 774)
[5152, 5154) 'tmp_fx' (line 774)
[5168, 5170) 'Q_tmp' (line 775)
[5184, 5186) 'mem_decim16k_size' (line 775)
[5200, 5234) 'epsP_h' (line 776)
[5280, 5314) 'epsP_l' (line 777)
[5360, 5362) 'Q_min' (line 779)
[5376, 7216) 'sig_out' (line 789) <== Memory access at offset 7272 overflows this variable
[7344, 7348) 'max_32' (line 789)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /builds/rep/sa4/audio/ivas-basop/lib_com/preemph_fx.c:91:14 in preemph_copy_32fx2

How to reproduce

Build with

make clean
make -j CLANG=2

Then run

IVAS_cod -stereo scripts/switchPaths/sw_13k2_to_128k_10fr.bin 32 scripts/testv/ltv32_STEREO.wav ltv32_STEREO.wav_stereo_bitrate_switching_from_13_2_kbps_to_128_kbps_32kHz_in_32kHz_out.192

or

python3 -m pytest "test_param_file_tests[ltv-stereo bitrate switching from 13.2 kbps to 128 kbps, 32kHz in, 32kHz out]" -n auto --update_ref --ref_encoder_path ./IVAS_cod --ref_decoder_path ./IVAS_dec