From 867348fd5eedc81d6702ac48a0b03dc722160abd Mon Sep 17 00:00:00 2001
From: Markus Multrus <markus.multrus@iis.fraunhofer.de>
Date: Fri, 12 Dec 2025 13:35:38 +0100
Subject: [PATCH 1/3] fix for UBSAN issue in RC context mapping; this reflects
 changes from float, and corrects the BASOP instrumentation/operators

---
 lib_com/options.h                 |  1 +
 lib_dec/ACcontextMapping_dec_fx.c | 14 ++++++++++++++
 lib_enc/ACcontextMapping_enc_fx.c | 26 ++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/lib_com/options.h b/lib_com/options.h
index ee8c6be3a..df085b5f6 100644
--- a/lib_com/options.h
+++ b/lib_com/options.h
@@ -89,6 +89,7 @@
 #define FIX_2252_SCALING_SAVE_HB_SYNTH                  /* VA: issue 2252: fix use-of-uninit-value in save_hb_synth_fx[] scaling in FOA decoding with bitstream that starts with an SID */
 #define FIX_2248_EVS_ASSERT                             /* VA: Include _sat in an EVS related part of the code */
 #define FIX_2254_IMPROV_COMPLEXITY_BE                   /* VA: BE small complexity reduction  */
+#define FIX_1464_UBSAN_RC_CONTEXT_MAP                   /* FhG: BE UBSAN fix for float issue 1464 in the TCX range coder */
 
 /* #################### End BE switches ################################## */
 
diff --git a/lib_dec/ACcontextMapping_dec_fx.c b/lib_dec/ACcontextMapping_dec_fx.c
index 60269751b..f97d553e6 100644
--- a/lib_dec/ACcontextMapping_dec_fx.c
+++ b/lib_dec/ACcontextMapping_dec_fx.c
@@ -588,7 +588,11 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
     ELSE /* if(!hm_cfg) */
     {
         Word16 c, rateQ;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        UWord32 s;
+#else
         UWord16 s;
+#endif
 
         /* Rate flag */
         IF( GT_16( nbbits, 400 ) )
@@ -613,7 +617,11 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
         t = 0;
         move16();
         s = 0;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        move32();
+#else
         move16();
+#endif
         /* Main Loop through the 2-tuples */
         FOR( k = 0; k < lastnz; k += 2 )
         {
@@ -701,9 +709,15 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
                 c = add( 12, esc_nb );
             }
 
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+            s = L_shl( s, 4 ); /*Shift old 4 bits*/
+            s = L_add( s, c ); /*replace last 4 bits*/
+            t = extract_l( L_and( s, 0xFF ) );
+#else
             s = (UWord16) L_shl( s, 4 ); /*Shift old 4 bits*/
             s = (UWord16) L_add( s, c ); /*replace last 4 bits*/
             t = (UWord16) L_and( s, 0xFF );
+#endif
         }
 
         /* Decode signs */
diff --git a/lib_enc/ACcontextMapping_enc_fx.c b/lib_enc/ACcontextMapping_enc_fx.c
index 91edc47a5..689c90615 100644
--- a/lib_enc/ACcontextMapping_enc_fx.c
+++ b/lib_enc/ACcontextMapping_enc_fx.c
@@ -973,7 +973,11 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
     {
         Word16 cp;
         Word16 esc_nb, rateQ;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        UWord32 s;
+#else
         UWord16 s;
+#endif
 
         /* Rate flag */
         IF( GT_16( nbbits, 400 ) )
@@ -988,7 +992,11 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
         }
 
         s = 0;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        move32();
+#else
         move16();
+#endif
 
         /* Find last non-zero tuple */
         /* ensure termination of while loop by dummy value */
@@ -1099,8 +1107,13 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
             }
 
             /*Shift old 4 bits, replace last 4 bits*/
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+            s = L_add( L_shl( s, 4 ), cp );
+            t = extract_l( L_and( s, 0xFF ) );
+#else
             s = (UWord16) ( L_add( L_shl( s, 4 ), cp ) );
             t = (UWord16) L_and( s, 0xFF );
+#endif
 
         } /*end of the 2-tuples loop*/
     }
@@ -1453,7 +1466,11 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
     ELSE /* if (!hm_cfg) */
     {
         Word16 esc_nb, cp, rateQ;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        UWord32 s;
+#else
         UWord16 s;
+#endif
         Word16 tot_bits2;
         Word16 overflow_flag = 0;
         move16();
@@ -1473,7 +1490,11 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
         t = 0;
         move16();
         s = 0;
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+        move32();
+#else
         move16();
+#endif
         cp = 0;
         move16();
         lastnz = 1;
@@ -1564,8 +1585,13 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
                 cp = add( 12, esc_nb ); /* Q0 */
             }
             /*shift old bits and replace last 4 bits*/
+#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
+            s = L_add( L_shl( s, 4 ), cp );
+            t = extract_l( L_and( s, 0xFF ) );
+#else
             s = (UWord16) L_add( L_shl( s, 4 ), cp );
             t = s_and( s, 0xFF );
+#endif
         } /*end of the 2-tuples loop*/
 
         tot_bits2 = round_fx( W_shl_sat_l( nbits2_fx, -Q7 ) );                   /* Q23 -> Q16 -> Q0 */
-- 
GitLab


From eed8d18c714d4076ff2418abdf2ae6338acf8448 Mon Sep 17 00:00:00 2001
From: Markus Multrus <markus.multrus@iis.fraunhofer.de>
Date: Fri, 12 Dec 2025 15:03:08 +0100
Subject: [PATCH 2/3] adapt patch, to avoid overflows

---
 lib_dec/ACcontextMapping_dec_fx.c | 15 ++++-----------
 lib_enc/ACcontextMapping_enc_fx.c | 24 ++++--------------------
 2 files changed, 8 insertions(+), 31 deletions(-)

diff --git a/lib_dec/ACcontextMapping_dec_fx.c b/lib_dec/ACcontextMapping_dec_fx.c
index f97d553e6..60c4d4688 100644
--- a/lib_dec/ACcontextMapping_dec_fx.c
+++ b/lib_dec/ACcontextMapping_dec_fx.c
@@ -588,11 +588,7 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
     ELSE /* if(!hm_cfg) */
     {
         Word16 c, rateQ;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        UWord32 s;
-#else
         UWord16 s;
-#endif
 
         /* Rate flag */
         IF( GT_16( nbbits, 400 ) )
@@ -617,11 +613,8 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
         t = 0;
         move16();
         s = 0;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        move32();
-#else
         move16();
-#endif
+
         /* Main Loop through the 2-tuples */
         FOR( k = 0; k < lastnz; k += 2 )
         {
@@ -710,9 +703,9 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
             }
 
 #ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-            s = L_shl( s, 4 ); /*Shift old 4 bits*/
-            s = L_add( s, c ); /*replace last 4 bits*/
-            t = extract_l( L_and( s, 0xFF ) );
+            s = shl( s_and( s, 0x0F ), 4 ); /*Shift old 4 bits*/
+            s = add( s, c ); /*replace last 4 bits*/
+            t = s_and( s, 0xFF );
 #else
             s = (UWord16) L_shl( s, 4 ); /*Shift old 4 bits*/
             s = (UWord16) L_add( s, c ); /*replace last 4 bits*/
diff --git a/lib_enc/ACcontextMapping_enc_fx.c b/lib_enc/ACcontextMapping_enc_fx.c
index 689c90615..2d2ad83b1 100644
--- a/lib_enc/ACcontextMapping_enc_fx.c
+++ b/lib_enc/ACcontextMapping_enc_fx.c
@@ -973,11 +973,7 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
     {
         Word16 cp;
         Word16 esc_nb, rateQ;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        UWord32 s;
-#else
         UWord16 s;
-#endif
 
         /* Rate flag */
         IF( GT_16( nbbits, 400 ) )
@@ -992,11 +988,7 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
         }
 
         s = 0;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        move32();
-#else
         move16();
-#endif
 
         /* Find last non-zero tuple */
         /* ensure termination of while loop by dummy value */
@@ -1108,8 +1100,8 @@ void RCcontextMapping_encode2_no_mem_s17_LCS_fx(
 
             /*Shift old 4 bits, replace last 4 bits*/
 #ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-            s = L_add( L_shl( s, 4 ), cp );
-            t = extract_l( L_and( s, 0xFF ) );
+            s = add( shl( s_and( s, 0x0F ), 4 ), cp );
+            t = s_and( s, 0xFF );
 #else
             s = (UWord16) ( L_add( L_shl( s, 4 ), cp ) );
             t = (UWord16) L_and( s, 0xFF );
@@ -1466,11 +1458,7 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
     ELSE /* if (!hm_cfg) */
     {
         Word16 esc_nb, cp, rateQ;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        UWord32 s;
-#else
         UWord16 s;
-#endif
         Word16 tot_bits2;
         Word16 overflow_flag = 0;
         move16();
@@ -1490,11 +1478,7 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
         t = 0;
         move16();
         s = 0;
-#ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-        move32();
-#else
         move16();
-#endif
         cp = 0;
         move16();
         lastnz = 1;
@@ -1586,8 +1570,8 @@ Word16 RCcontextMapping_encode2_estimate_no_mem_s17_LCS_fx(
             }
             /*shift old bits and replace last 4 bits*/
 #ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
-            s = L_add( L_shl( s, 4 ), cp );
-            t = extract_l( L_and( s, 0xFF ) );
+            s = add( shl( s_and( s, 0x0F ), 4 ), cp );
+            t = s_and( s, 0xFF );
 #else
             s = (UWord16) L_add( L_shl( s, 4 ), cp );
             t = s_and( s, 0xFF );
-- 
GitLab


From 6a274a052381e3e2ea22db23bef2b096caa4f73e Mon Sep 17 00:00:00 2001
From: Markus Multrus <markus.multrus@iis.fraunhofer.de>
Date: Fri, 12 Dec 2025 15:08:16 +0100
Subject: [PATCH 3/3] formatting

---
 lib_dec/ACcontextMapping_dec_fx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib_dec/ACcontextMapping_dec_fx.c b/lib_dec/ACcontextMapping_dec_fx.c
index 60c4d4688..e88d96aa6 100644
--- a/lib_dec/ACcontextMapping_dec_fx.c
+++ b/lib_dec/ACcontextMapping_dec_fx.c
@@ -704,7 +704,7 @@ Word16 RCcontextMapping_decode2_no_mem_s17_LCS_fx(
 
 #ifdef FIX_1464_UBSAN_RC_CONTEXT_MAP
             s = shl( s_and( s, 0x0F ), 4 ); /*Shift old 4 bits*/
-            s = add( s, c ); /*replace last 4 bits*/
+            s = add( s, c );                /*replace last 4 bits*/
             t = s_and( s, 0xFF );
 #else
             s = (UWord16) L_shl( s, 4 ); /*Shift old 4 bits*/
-- 
GitLab