From f3550e69001068f3187efececff2be68d883b353 Mon Sep 17 00:00:00 2001
From: Manuel Jander <manuel.jander@iis.fraunhofer.de>
Date: Wed, 12 Mar 2025 10:45:04 +0100
Subject: [PATCH 1/2] Fix issue 1378 (invalid read access)

---
 lib_com/options.h      |  1 +
 lib_dec/dec_acelp_fx.c | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/lib_com/options.h b/lib_com/options.h
index d03261715..5d1d0d6e1 100644
--- a/lib_com/options.h
+++ b/lib_com/options.h
@@ -171,5 +171,6 @@
 //#define OPT_STEREO_32KBPS_V1                    /* Optimization made in stereo decoding path for 32kbps decoding */
 #define DOT_PROD_CHOLESKY_64BIT                 /* FhG: Issue 1323, optimized 64 bit implementation of dot_product_cholesky() */
 #define OPT_BASOP_ADD_v1                        /* optimizations to avoid usage of BASOP_Util_Add_MantExp */
+#define FIX_1378_ACELP_OUT_OF_BOUNDS            /* Avoid index -1 in array read access  */
 #define FIX_ISSUE_1327                          /* Ittiam: Fix for issue 1327: Glitch when stereo is switching from TD to FD*/
 #endif
diff --git a/lib_dec/dec_acelp_fx.c b/lib_dec/dec_acelp_fx.c
index 07750469f..51cbef624 100644
--- a/lib_dec/dec_acelp_fx.c
+++ b/lib_dec/dec_acelp_fx.c
@@ -169,6 +169,7 @@ void D_ACELP_indexing_fx(
         pulses = pulsestrack[0];
         move16();
 
+#ifndef FIX_1378_ACELP_OUT_OF_BOUNDS
         /* safety check in case of bit errors */
         IF( GE_64( s, pulsestostates[16][pulses - 1] ) )
         {
@@ -177,9 +178,20 @@ void D_ACELP_indexing_fx(
             move16();
             return;
         }
+#endif
 
         IF( pulses )
         {
+#ifdef FIX_1378_ACELP_OUT_OF_BOUNDS
+            /* safety check in case of bit errors */
+            IF( GE_64( s, pulsestostates[16][pulses - 1] ) )
+            {
+                set16_fx( code, 0, L_SUBFR );
+                *BER_detect = 1;
+                move16();
+                return;
+            }
+#endif
             D_ACELP_decode_arithtrack_fx( code, s, pulses, num_tracks, 16 );
         }
         ELSE
-- 
GitLab


From 74f18249e5b2aeafe6b8496089ab0e3534fd952d Mon Sep 17 00:00:00 2001
From: Manuel Jander <manuel.jander@iis.fraunhofer.de>
Date: Mon, 31 Mar 2025 13:42:54 +0200
Subject: [PATCH 2/2] Reactivate FIX_1378_ACELP_OUT_OF_BOUNDS after merge from
 main

---
 lib_com/options.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib_com/options.h b/lib_com/options.h
index 4653bb460..2b88deb5d 100644
--- a/lib_com/options.h
+++ b/lib_com/options.h
@@ -67,6 +67,8 @@
 #define BASOP_NOGLOB_DECLARE_LOCAL
 #endif
 
+#define FIX_1378_ACELP_OUT_OF_BOUNDS
+
 /* Note: each compile switch (FIX_1101_...) is independent from the other ones */
 //#define OPT_STEREO_32KBPS_V1                    /* Optimization made in stereo decoding path for 32kbps decoding */
 #define OPT_AVOID_STATE_BUF_RESCALE             /* Optimization made to avoid rescale of synth state buffer */
-- 
GitLab