From 9effd7264b92d3385a1b04ff9389cdf39476fec8 Mon Sep 17 00:00:00 2001
From: Sandesh Venkatesh <sandesh.venkatesh@ittiam.com>
Date: Wed, 21 Feb 2024 13:54:21 +0530
Subject: [PATCH] Fix for use-of-uninitialized-value issue 686

[x] This issue happened in ivas_mdct_core_invQ
function due to use-of-uninitialized-value. Fix made
to address the issue.
[x] After the initial fix, crash was observed in
further frames in sns_interpolate_scalefactors_fx
function. The buffer size is updated with which the issue
is resolved.
---
 lib_dec/ivas_core_dec.c                |  6 ++++++
 lib_dec/ivas_mdct_core_dec.c           | 13 +++++--------
 lib_dec/ivas_stereo_mdct_core_dec_fx.c |  4 ++--
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/lib_dec/ivas_core_dec.c b/lib_dec/ivas_core_dec.c
index c70d98de4..666d5840c 100644
--- a/lib_dec/ivas_core_dec.c
+++ b/lib_dec/ivas_core_dec.c
@@ -73,6 +73,9 @@ ivas_error ivas_core_dec(
     int16_t sharpFlag[CPE_CHANNELS];
     float synth[CPE_CHANNELS][L_FRAME48k];
     float tmp_buffer[L_FRAME48k];
+#ifdef IVAS_FLOAT_FIXED
+    set_zero(tmp_buffer, L_FRAME48k);
+#endif
     int16_t tmps, incr;
     float bwe_exc_extended[CPE_CHANNELS][L_FRAME32k + NL_BUFF_OFFSET];
     float voice_factors[CPE_CHANNELS][NB_SUBFR16k];
@@ -806,6 +809,9 @@ ivas_error ivas_core_dec(
             Word32 *hb_synth_0 = (Word32 *) malloc( sizeof( Word32 ) * L_FRAME48k );
             Word32 *hb_synth_1 = (Word32 *) malloc( sizeof( Word32 ) * L_FRAME48k );
             Word32 tmp_buffer_fx[L_FRAME48k];
+#ifdef IVAS_FLOAT_FIXED
+            set32_fx(tmp_buffer_fx, 0, L_FRAME48k);
+#endif
             Word32 voice_factor_fx[NB_SUBFR16k];
             Word16 q = 16;
             floatToFixed_arrL( hb_synth[0], hb_synth_0, q, L_FRAME48k );
diff --git a/lib_dec/ivas_mdct_core_dec.c b/lib_dec/ivas_mdct_core_dec.c
index dbe3faa78..0bf43f369 100644
--- a/lib_dec/ivas_mdct_core_dec.c
+++ b/lib_dec/ivas_mdct_core_dec.c
@@ -1068,17 +1068,14 @@ void ivas_mdct_core_invQ(
                     if ( st->mct_chan_mode != MCT_CHAN_MODE_IGNORE )
                     {
 #ifdef IVAS_FLOAT_FIXED
-                        Word32 SNS_Q_fx[CPE_CHANNELS][NB_DIV][M];
+                        Word32 SNS_Q_fx[NB_DIV][M];
                         Word16 q_snsq = 0;
-                        sns_avq_dec_fx( param_lpc[ch], SNS_Q_fx[ch], &q_snsq, st->L_frame, st->numlpc );
-                        for ( int i = 0; i < CPE_CHANNELS; i++ )
+                        sns_avq_dec_fx( param_lpc[ch], SNS_Q_fx, &q_snsq, st->L_frame, st->numlpc );
+                        for ( int j = 0; j < NB_DIV; j++ )
                         {
-                            for ( int j = 0; j < NB_DIV; j++ )
+                            for ( k = 0; k < M; k++ )
                             {
-                                for ( k = 0; k < M; k++ )
-                                {
-                                    sns[i][j][k] = fix_to_float( SNS_Q_fx[i][j][k], q_snsq );
-                                }
+                                sns[ch][j][k] = fix_to_float( SNS_Q_fx[j][k], q_snsq );
                             }
                         }
 #ifdef DUMPS_ENABLED
diff --git a/lib_dec/ivas_stereo_mdct_core_dec_fx.c b/lib_dec/ivas_stereo_mdct_core_dec_fx.c
index 424a27188..505ce61e3 100644
--- a/lib_dec/ivas_stereo_mdct_core_dec_fx.c
+++ b/lib_dec/ivas_stereo_mdct_core_dec_fx.c
@@ -278,8 +278,8 @@ void stereo_mdct_core_dec_fx(
                 float sns_int_scf[FDNS_NPTS];
 
 #ifdef IVAS_FLOAT_FIXED
-                Word32 sns_int_scf_fx[FDNS_NPTS], Aq_fx[SNS_NPTS];
-                FOR( int c = 0; c < SNS_NPTS; c++ )
+                Word32 sns_int_scf_fx[FDNS_NPTS], Aq_fx[(NB_SUBFR16k + 1) * (M + 1)];
+                FOR(int c = 0; c < (NB_SUBFR16k + 1) * (M + 1); c++)
                 {
                     Aq_fx[c] = (Word32) ( Aq[ch][k * M + c] * ONE_IN_Q16 );
                 }
-- 
GitLab