New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Bad memory access bug #5
Comments
I managed to confirm this. Working on a fix, but it may only land when I get back from holidays next week. |
The documentation suggests that setting the ratio using |
Thank you for confirming, Erik. This happens to be one of the real-world use case scenarios in our project. We can receive several playback rate change requests that need to be processed- and these translate to several src_set_ratio() calls during the course of one src_callback_read(). |
Managed to do some debugging work here and there, but still haven't got to the bottom of it. Should have a fix in the next week or so. |
Hi Erik, How is the fix for this bug looking? Any idea when you will be committing it? Thanks, |
Been crazy busy the last couple of weeks. This bug is a tough one. I need a couple of uninterrupted hours to debug this. Not sure when that will happen. |
I tested this repro with the current version and it does not crash. However it silently buffer-underflows as the check is removed! This is a critical bug. This is not even related to the callback interface and can be reproduced like this:
I tracked this down to the following: The start of the buffer is filled with zeros in Previously this negative index would call abort which is what @hnand reported. But now the |
@hnand Your code will not do what you expect anyway. The problematic part is:
Inside the callback defined earlier you call There are 2 problems:
@erikd Maybe a function like |
A decreasing ratio causes an out-of-bounds access as described in libsndfile#5 In the tests this results in either NaNs in the output or a crash when accessing invalid memory (or an error using ASAN)
The buffer read underflow could happens with the 'SRC_SINC_*' converters when the `src_ratio` is dynamically decreased while processing. This is a relatively naive fix for issue that seems to have an up to 3% performance degradation with respect to the unfixed version. It may be possible to come up with a better version of this fix that does not degrade performance. Closes: #5
The buffer out-of-bounds read that happens with the 'SRC_SINC_*' converters when the `src_ratio` is dynamically decreased while processing. This is a relatively naive fix for issue that seems to have an up to 3% performance degradation with respect to the unfixed version. It may be possible to come up with a better version of this fix that does not degrade performance. Closes: #5
The buffer out-of-bounds read that happens with the 'SRC_SINC_*' converters when the `src_ratio` is dynamically decreased while processing. This is a relatively naive fix for issue that seems to have an up to 3% performance degradation with respect to the unfixed version. It may be possible to come up with a better version of this fix that does not degrade performance. Closes: #5
The buffer out-of-bounds read that happens with the 'SRC_SINC_*' converters when the `src_ratio` is dynamically decreased while processing. This is a relatively naive fix for issue that seems to have an up to 3% performance degradation with respect to the unfixed version. It may be possible to come up with a better version of this fix that does not degrade performance. Closes: #5
The buffer out-of-bounds read that happens with the 'SRC_SINC_*' converters when the `src_ratio` is dynamically decreased while processing. This is a relatively naive fix for issue that seems to have an up to 3% performance degradation with respect to the unfixed version. It may be possible to come up with a better version of this fix that does not degrade performance. Closes: #5
Hi Erik,
I have written a self-contained test to display the problem we are seeing in our project that uses libsamplerate to do sample rate conversions. I have attached the entire libsamplerate directory along with my changes here. Additionally, I have also written up a brief description of the issue and my test below.
I would like to understand if this is indeed a potential bug or an improper use of the library. Looking forward to your thoughts.
Thanks,
Hari
Description:
Our project code follows the model in callback_test.c (ie: setup a callback using src_callback_new() with converter = SRC_SINC_FASTEST, numChannels = 32; calls to src_callback_read() till the requested # of samples are read).
We have discovered an intermittent issue where the audio data we receive after a call to src_callback_read() contains Nan values in the output buffer at a valid index (ie: within the total read samples returned by src_callback_read()). We traced this down to the calc_output_multi() function which is called by sinc_multichan_vari_process() in src_sinc.c. Specifically, in the scenarios where the issue happens, the data_index that calc_output_multi() calculates when applying the left half of the filter evaluates to a negative value (which leads to accessing uninitialized/unowned memory).
To simplify this, I have written a short self-contained test (called filterdata_integrity_test.c) under the tests directory. This test is similar to callback_test.c, ie: it sets up a callback using src_callback_new() with converter = SRC_SINC_FASTEST, numChannels = 2 (for simplicity); calls to src_callback_read() till the requested # of samples are read). The notable differences from my test and callback_test.c are:
i) Setting the src_ratio to a different value on every callback (by calling src_set_ratio()) -> this replicates the scenario in our project when the issue occurs
ii) Adding integrity checks on the audio data that is generated in the output buffer
All of the relevant changes also have comments next to them.
Note: I have also made an un-invasive change to src/src_sinc.c at line 437 to exit(1) whenever the data_index hits a negative value in calc_output_stereo() (since this is the only way I have found to catch the issue when it happens). I hit this exit every time I run the filterdata_integrity_test.
libsamplerate-0.1.8.zip
The text was updated successfully, but these errors were encountered: