Skip to content

Undefined behavior / float-cast-overflow in speex_decode_stereo_int #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dklimkin opened this issue Jul 8, 2024 · 5 comments
Open

Undefined behavior / float-cast-overflow in speex_decode_stereo_int #27

dklimkin opened this issue Jul 8, 2024 · 5 comments

Comments

@dklimkin
Copy link

dklimkin commented Jul 8, 2024

speex_decode_stereo_int:276-277

      data[2*i] = (spx_int16_t)MULT16_16_P14(stereo->smooth_left, tmp);
      data[2*i+1] = (spx_int16_t)MULT16_16_P14(stereo->smooth_right, tmp);

casts float to 16 bit int which can cause an overflow and UB. This UB typically results in SIGILL with clang.
@Dutchman101 Dutchman101 mentioned this issue Oct 3, 2024
Closed
Dutchman101 added a commit to Dutchman101/speex that referenced this issue Feb 17, 2025
@Dutchman101
Fix issue xiph#27 (UB/Flow-cast overflow) and similar ones
db6af61
@Dutchman101 Dutchman101 mentioned this issue Feb 17, 2025
Open
@Dutchman101
Copy link
Contributor

Hello @tmatth, i made PR #28 to fix this

@tmatth
Copy link
Member

tmatth commented Feb 17, 2025

speex_decode_stereo_int:276-277

      data[2*i] = (spx_int16_t)MULT16_16_P14(stereo->smooth_left, tmp);
      data[2*i+1] = (spx_int16_t)MULT16_16_P14(stereo->smooth_right, tmp);

casts float to 16 bit int which can cause an overflow and UB. This UB typically results in SIGILL with clang.

Do you have a POC? Also I'm assuming you're talking about the inside of the MULT16_16_P14 calls and not the spx_int16_t casts of the results which should be fine.

@tmatth
Copy link
Member

tmatth commented Feb 17, 2025

Hello @tmatth, i made PR #28 to fix this

Thanks I'll review there, although this is just avoiding undefined behavior in the fixed-debug builds so I don't see how that would fix this issue.

@Dutchman101
Copy link
Contributor

Dutchman101 commented Feb 17, 2025
edited
Loading

Hello @tmatth, i made PR #28 to fix this

Thanks I'll review there, although this is just avoiding undefined behavior in the fixed-debug builds so I don't see how that would fix this issue.

@tmatth

MULT16_16_P14 is created in fixed_debug, so i figured that's where to fix it. Am i wrong?

Also, now that i have your attention, would you please take a look at what i feel may be a critical security bug?
PR #29: Fix OOB

@tmatth
Copy link
Member

tmatth commented Feb 21, 2025

MULT16_16_P14 is created in fixed_debug, so i figured that's where to fix it. Am i wrong?

That's the version that gets used if you ./configure --enable-fixed-point-debug (only really used when debugging). The version defined in fixed_generic also needs to be fixed (as that is what will be used by normal fixed-point builds).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tmatth @dklimkin @Dutchman101