Skip to content

vad : fix buffer overflow in sample reduction loop #3558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danbev merged 1 commit into from
Dec 6, 2025
Merged

vad : fix buffer overflow in sample reduction loop #3558

danbev merged 1 commit into from
Dec 6, 2025
+1 −1

Conversation

@josephsellers
Copy link
Contributor

@josephsellers josephsellers commented Dec 4, 2025

Summary

Fix heap corruption crash in VAD processing caused by buffer overflow in the sample reduction loop.

Problem

The buffer size calculation loop (line ~6661) uses n_samples - 1 as the upper bound:

segment_end_samples = std::min(segment_end_samples, n_samples - 1);
filtered_n_samples  += (segment_end_samples - segment_start_samples);

But the copy loop (line 6696) uses n_samples:

segment_end_samples = std::min(segment_end_samples, n_samples);  // BUG: inconsistent bound
int segment_length = segment_end_samples - segment_start_samples;

This allows segment_length to be up to 1 sample larger per segment than what was allocated, causing writes past the end of filtered_samples buffer.

Symptom

  • malloc(): corrupted top size
  • malloc(): invalid size (unsorted)
  • Crashes after VAD completes: whisper_vad: Reduced audio from X to Y samples
  • Intermittent (depends on heap layout)

Fix

Use consistent bounds (n_samples - 1) in both loops.

Fixes #3403

@josephsellers
vad : fix buffer overflow in sample reduction loop
61099f8 
The buffer size calculation loop (line ~6661) uses `n_samples - 1` as
the upper bound for segment_end_samples, but the copy loop (line 6696)
uses `n_samples`. This inconsistency allows the copy loop to compute
segment_length values up to 1 sample larger per segment than what was
allocated, causing heap corruption.

Symptom: `malloc(): corrupted top size` or `malloc(): invalid size
(unsorted)` crashes after VAD completes sample reduction.

Fix: Use consistent bounds (`n_samples - 1`) in both loops.

Fixes ggml-org#3403
@danbev danbev merged commit a88b93f into ggml-org:master Dec 6, 2025
62 of 66 checks passed
@danbev
Copy link
Member

danbev commented Dec 6, 2025

@josephsellers Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danbev danbev danbev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

VAD coredump (whisper-server)

2 participants

@josephsellers @danbev