Fix memory corruption

[gavv]

Hi and thanks for sharing this library.

Currently, all decode methods have two problems:

1. They pass to opus_decode() the total number of samples in output buffer. But according to documentation, they should pass number of samples per channel. In result, in two-channel mode opus will think that the buffer is twice larger than it is. This may lead to memory corruption which is actually reproducing in my application. It's not reproduced each time. It seems that opus usually determines the frame size from its contents and doesn't touch the memory beyond that size.

2. They use cap() instead of len(). I believe this is a bad decision for API because if I pass data[:n] to a function, I expect that the memory beyond n will not be touched. But with current API it may happen if the slice capacity is larger than the slice length. Such bugs may be very hard to find, especially if your slice comes from some other component and refers to a part of a larger memory region (e.g. in pool).

This patch fixes both issues. If you don't agree with the second point, which may be arguable, I can revert the second part of the fix and use cap() instead of len().

I've also added a test. This test fails before applying the patch and succeeds after applying it.

[hraban]

Ugh. How on earth is this possible. I spent a million years looking at these docs and here we are.

Thanks for the patch. I'll have a look over tonight, but it looks like you're right.

Please also add yourself to the AUTHORS list.

[gavv]

Please also add yourself to the AUTHORS list.

Done.

[ydnar]

Yikes. Thanks @gavv!

[hraban]

Hi gavv I don't have time to look at the cap vs len thing for at least another week. I like the idea but I need to think through the possible implications for people already depending on this code.

In the mean time, especially now that this bug is out in the open, I'd like to merge the memory issue. Would you mean removing the len/cap code from this PR and creating another one?

Thanks!

[hraban]

thanks! 👍

[hraban]

Suggested change

	return 0, fmt.Errorf("opus: output buffer length must be multiple of channels")
	return 0, fmt.Errorf("opus: target buffer length must be multiple of channels")

[hraban]

Suggested change

	return 0, fmt.Errorf("opus: output buffer length must be multiple of channels")
	return 0, fmt.Errorf("opus: target buffer length must be multiple of channels")

[hraban]

Suggested change

	return fmt.Errorf("opus: output buffer length must be multiple of channels")
	return fmt.Errorf("opus: target buffer length must be multiple of channels")

[hraban]

Suggested change

	return fmt.Errorf("opus: output buffer length must be multiple of channels")
	return fmt.Errorf("opus: target buffer length must be multiple of channels")

[hraban]

*sigh, go and generics...

[hraban]

Suggested change

	C.int(len(pcm)/dec.channels),
	C.int(cap(pcm)/dec.channels),

sticking to cap for this PR, will think on cap/len later.

[hraban]

Suggested change

	C.int(len(pcm)/dec.channels),
	C.int(cap(pcm)/dec.channels),

[hraban]

Suggested change

	C.int(len(pcm)/dec.channels),
	C.int(cap(pcm)/dec.channels),

[hraban]

Suggested change

	C.int(len(pcm)/dec.channels),
	C.int(cap(pcm)/dec.channels),

[hraban]

Forget about the github UI, I've done it old school locally and just pushed it. Your patch has been included in v2: cb9658a -- not included just yet, can't make tests work locally. out of time again so will have to look at this... at some point in my life.

[gavv]

I like the idea but I need to think through the possible implications for people already depending on this code.

I'd suggest you to make a v3 release. This patch, even with cap() instead of len(), breaks the API anyway.

Would you mean removing the len/cap code from this PR and creating another one?

Sure.

[gavv]

I've revered cap/len change, applied your suggestions, and fixed tests.

[hraban]

I will have to backport this to v2 and v1 because it's a security issue (for future reference, by the way: if you find memory corruption bug, I recommend reporting it in private at least initially, because putting it out in the open significantly increases the pressure to fix it asap :/ it's not ideal timing at the mo 😭).

[hraban]

I'd suggest you to make a v3 release. This patch, even with cap() instead of len(), breaks the API anyway.

Isn't the error in our invocation of libopus? as far as I can see, fixing this should work backwards compatibly for everyone. I was calling libopus wrong, but users of this lib just pass in an array with a cap, no further updates needed (cue also the other tests which still work fine).

Any specific reason you were thinking of a v3?

[gavv]

You're right. I was thinking about the behavior change. There are three cases:

1. user passes a buffer smaller than the actual frame
2. user passes a buffer of the exact same size
3. user passes a larger buffer

Old behavior:

1. corrupted memory 2. usually correct 3. usually correct

New behavior:

1. error 2. correct 3. correct

So we're changing a (probably silent) memory corruption to an error. I guess this should be considered as a compatible change :)

[gavv]

I'd like to push more commits into v2 branch of my fork, which are not related to this PR. Github does not allow me to switch PR's branch, so I'm reopening it with another branch: #26.

I've also replaced len() with cap() in new buffer size checks. I didn't touch the old checks.