Wrong index used in ivas_sns_com_fx.c:146
Git version: 71da9eaa
TL;DR: there is a typo in ivas_sns_com_fx.c at line 146. This is the code snippet:
/* Noise floor at -40dB */
sum = 0;
for (Word16 ind = 0; ind < FDNS_NPTS; ind++) {
sum += (Word64)xs[i];
}The loop variable is called ind, but i is used to index into xs. At this point, i has the value 64 and hence points to potentially not owned memory. The intention here is to get the sum of the array elements in xs, see the corresponding float code:
/* Noise floor at -40dB */
sum = sum_f( xs, FDNS_NPTS );
============= Old observations below ======================
Using the stereo ltv testvector and this error pattern from the float repository (which is not part of the tests in the BASOP CI), this results in a crash (tested on Mac and Linux):
./IVAS_cod -max_band FB -stereo 48000 48 ltv48_STEREO.wav bit
eid-xor -fer -vbr bit ep_10pct_fer.g192 bit_fer
./IVAS_dec stereo 48 bit_fer out.wavThe reason for the crash is that the array concealment_noise contains NaN values in frame 733 at ivas_mdct_core_invQ.c:937 which ultimately results in an assert in float_to_fix(). When I ran this in the debugger and put a breakpoint before to see when the NaN values are introduced, though, the assert is not hit anymore. This hints at some kind of undefined behaviour bug.
Running the decoder with address sanitizer build (make CLANG=2) already crashes in frame 48:
=================================================================
==223511==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd5d65e3c0 at pc 0x0000011d015f bp 0x7ffd5d65e150 sp 0x7ffd5d65e148
READ of size 4 at 0x7ffd5d65e3c0 thread T0
#0 0x11d015e in sns_compute_scf_fx /local/knj/ivas-basop/lib_com/ivas_sns_com_fx.c:146:24
#1 0x9278a6 in TonalMdctConceal_whiten_noise_shape_ivas /local/knj/ivas-basop/lib_dec/tonalMDCTconcealment.c:1302:9
#2 0x58495c in ApplyFdCng_flt /local/knj/ivas-basop/lib_dec/fd_cng_dec.c:500:25
#3 0x846d03 in run_min_stats /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:714:13
#4 0x8444d7 in stereo_mdct_core_dec /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:422:5
#5 0xc53c7d in ivas_core_dec /local/knj/ivas-basop/lib_dec/ivas_core_dec.c:448:17
#6 0xc6f9fe in ivas_cpe_dec_fx /local/knj/ivas-basop/lib_dec/ivas_cpe_dec_fx.c:436:9
#7 0x649b01 in ivas_jbm_dec_tc /local/knj/ivas-basop/lib_dec/ivas_jbm_dec.c:146:9
#8 0x4edb87 in IVAS_DEC_GetTcSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:1071:9
#9 0x4ebaaf in IVAS_DEC_GetSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:904:17
#10 0x4de510 in decodeG192 /local/knj/ivas-basop/apps/decoder.c:1675:28
#11 0x4d20ff in main /local/knj/ivas-basop/apps/decoder.c:576:17
#12 0x7f1471d2a249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7f1471d2a304 in __libc_start_main csu/../csu/libc-start.c:360:3
#14 0x41f5a0 in _start (/local/knj/ivas-basop/IVAS_dec+0x41f5a0)
Address 0x7ffd5d65e3c0 is located in stack of thread T0 at offset 608 in frame
#0 0x11cee6f in sns_compute_scf_fx /local/knj/ivas-basop/lib_com/ivas_sns_com_fx.c:59
This frame has 4 object(s):
[32, 288) 'x' (line 61)
[352, 608) 'xs' (line 61) <== Memory access at offset 608 overflows this variable
[672, 736) 'xl4' (line 61)
[768, 1024) 'xl' (line 61)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /local/knj/ivas-basop/lib_com/ivas_sns_com_fx.c:146:24 in sns_compute_scf_fx
Shadow bytes around the buggy address:
0x10002bac3c20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10002bac3c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bac3c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bac3c50: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10002bac3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002bac3c70: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x10002bac3c80: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
0x10002bac3c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bac3ca0: 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
0x10002bac3cb0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bac3cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==223511==ABORTINGRunning with memory sanitizer (make CLANG=1), crashes at another point (frame 717):
==233087==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x1cdc312 in norm_l /local/knj/ivas-basop/lib_com/basop32.c:3401:10
#1 0x1011232 in TonalMdctConceal_whiten_noise_shape_ivas /local/knj/ivas-basop/lib_dec/tonalMDCTconcealment.c:1291:71
#2 0x637f2e in ApplyFdCng_flt /local/knj/ivas-basop/lib_dec/fd_cng_dec.c:500:25
#3 0xdc42b3 in run_min_stats /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:714:13
#4 0xdbf090 in stereo_mdct_core_dec /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:422:5
#5 0x18f3b25 in ivas_core_dec /local/knj/ivas-basop/lib_dec/ivas_core_dec.c:448:17
#6 0x19306b7 in ivas_cpe_dec_fx /local/knj/ivas-basop/lib_dec/ivas_cpe_dec_fx.c:436:9
#7 0x850b5a in ivas_jbm_dec_tc /local/knj/ivas-basop/lib_dec/ivas_jbm_dec.c:146:9
#8 0x4eab24 in IVAS_DEC_GetTcSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:1071:9
#9 0x4e4685 in IVAS_DEC_GetSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:904:17
#10 0x4c2e0a in decodeG192 /local/knj/ivas-basop/apps/decoder.c:1675:28
#11 0x4a6ea7 in main /local/knj/ivas-basop/apps/decoder.c:576:17
#12 0x7f2542d8a249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7f2542d8a304 in __libc_start_main csu/../csu/libc-start.c:360:3
#14 0x421540 in _start (/local/knj/ivas-basop/IVAS_dec+0x421540)
Uninitialized value was stored to memory at
#0 0x1cdc261 in norm_l /local/knj/ivas-basop/lib_com/basop32.c:3398
#1 0x1011232 in TonalMdctConceal_whiten_noise_shape_ivas /local/knj/ivas-basop/lib_dec/tonalMDCTconcealment.c:1291:71
#2 0x637f2e in ApplyFdCng_flt /local/knj/ivas-basop/lib_dec/fd_cng_dec.c:500:25
#3 0xdc42b3 in run_min_stats /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:714:13
#4 0xdbf090 in stereo_mdct_core_dec /local/knj/ivas-basop/lib_dec/ivas_stereo_mdct_core_dec.c:422:5
#5 0x18f3b25 in ivas_core_dec /local/knj/ivas-basop/lib_dec/ivas_core_dec.c:448:17
#6 0x19306b7 in ivas_cpe_dec_fx /local/knj/ivas-basop/lib_dec/ivas_cpe_dec_fx.c:436:9
#7 0x850b5a in ivas_jbm_dec_tc /local/knj/ivas-basop/lib_dec/ivas_jbm_dec.c:146:9
#8 0x4eab24 in IVAS_DEC_GetTcSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:1071:9
#9 0x4e4685 in IVAS_DEC_GetSamples /local/knj/ivas-basop/lib_dec/lib_dec_fx.c:904:17
#10 0x4c2e0a in decodeG192 /local/knj/ivas-basop/apps/decoder.c:1675:28
#11 0x4a6ea7 in main /local/knj/ivas-basop/apps/decoder.c:576:17
#12 0x7f2542d8a249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Uninitialized value was created by an allocation of 'whitenend_noise_shape' in the stack frame of function 'TonalMdctConceal_whiten_noise_shape_ivas'
#0 0x100f910 in TonalMdctConceal_whiten_noise_shape_ivas /local/knj/ivas-basop/lib_dec/tonalMDCTconcealment.c:1254Running with Undefined Behaviour sanitizer gives this in frame 48 (among others which are probably unrelated):
lib_com/ivas_sns_com_fx.c:146:24: runtime error: index 64 out of bounds for type 'Word32 [64]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib_com/ivas_sns_com_fx.c:146:24 in
fish: Job 1, './IVAS_dec stereo 48 bit_fer ou…' terminated by signal SIGILL (Illegal instruction)I suspect that all of these are related or could have the same cause.
Edited by Jan Kiene