Skip to content

Possible crash in apply_noisefill_HQ_fx

from the function apply_noisefill_HQ_fx()

In the code below, L_E_cb_vec = L_mac0(...) can saturate because cb_buff can have values using more than 12 bits. Given sfmsize[sfm] can have a value of 64, cb_buff shouldn't use mor than 12 bits, otherwise the saturation risk is high.

with 3e3ac86d, I obtained a crash at 24.4 kbps for one bitstream. Bitstream can be sent on demand.

                   L_E_cb_vec = L_deposit_l( 0 );
                    IF( LT_16( sfm, 20 ) )
                    {
                        FOR( i = 0; i < sfmsize[sfm]; i++ )
                        {
                            cb_buff[i] = CodeBook_mod[cb_pos++];
                            move16();
                            L_E_cb_vec = L_mac0( L_E_cb_vec, cb_buff[i], cb_buff[i] ); /*Q24 (12+12) */

                            if ( GE_16( cb_pos, cb_size ) )
                            {
                                cb_pos = 0;
                                move16();
                            }
                        }
                    }
                    ELSE
                    {
                        FOR( i = 0; i < sfmsize[sfm]; i++ )
                        {
                            cb_buff[i] = CodeBook[cb_pos++];
                            move16();
                            L_E_cb_vec = L_mac0( L_E_cb_vec, cb_buff[i], cb_buff[i] ); /*Q24 (12+12) */

                            if ( GE_16( cb_pos, cb_size ) )
                            {
                                cb_pos = 0;
                                move16();
                            }
                        }
                    }

The floating point equivalent code has values from 2 to -2, which becomes 8192 to -8192 in fixed point Q12