From db6af6172bbf4acf34f65959a91dbfd653b658e3 Mon Sep 17 00:00:00 2001 From: Dutchman101 Date: Mon, 17 Feb 2025 12:46:22 +0100 Subject: [PATCH 1/3] Fix issue #27 (UB/Flow-cast overflow) and similar ones --- libspeex/fixed_debug.h | 112 +++++++++++++++++++++++++++++++++++------ 1 file changed, 96 insertions(+), 16 deletions(-) diff --git a/libspeex/fixed_debug.h b/libspeex/fixed_debug.h index 756138b8..7ad61726 100644 --- a/libspeex/fixed_debug.h +++ b/libspeex/fixed_debug.h @@ -56,7 +56,13 @@ static inline short NEG16(int x) } res = -x; if (!VERIFY_SHORT(res)) - fprintf (stderr, "NEG16: output is not short: %d\n", (int)res); + { + fprintf (stderr, "NEG16: output is not short: %d\n", (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -110,7 +116,13 @@ static inline short _SHR16(int a, int shift, char *file, int line) } res = a>>shift; if (!VERIFY_SHORT(res)) - fprintf (stderr, "SHR16: output is not short: %d in %s: line %d\n", res, file, line); + { + fprintf (stderr, "SHR16: output is not short: %d in %s: line %d\n", res, file, line); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -124,7 +136,13 @@ static inline short _SHL16(int a, int shift, char *file, int line) } res = (int)((unsigned)a< 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -181,7 +199,11 @@ static inline short _ADD16(int a, int b, char *file, int line) res = a+b; if (!VERIFY_SHORT(res)) { - fprintf (stderr, "ADD16: output is not short: %d+%d=%d in %s: line %d\n", a,b,res, file, line); + fprintf (stderr, "ADD16: output is not short: %d+%d=%d in %s: line %d\n", a,b,res, file, line); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; } spx_mips++; return res; @@ -197,7 +219,13 @@ static inline short _SUB16(int a, int b, char *file, int line) } res = a-b; if (!VERIFY_SHORT(res)) - fprintf (stderr, "SUB16: output is not short: %d in %s: line %d\n", res, file, line); + { + fprintf (stderr, "SUB16: output is not short: %d in %s: line %d\n", res, file, line); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -227,8 +255,14 @@ static inline int SUB32(long long a, long long b) fprintf (stderr, "SUB32: inputs are not int: %d %d\n", (int)a, (int)b); } res = a-b; - if (!VERIFY_INT(res)) - fprintf (stderr, "SUB32: output is not int: %d\n", (int)res); + if (!VERIFY_SHORT(res)) + { + fprintf (stderr, "SUB32: output is not int: %d\n", (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -245,7 +279,13 @@ static inline short MULT16_16_16(int a, int b) } res = a*b; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_16: output is not short: %d\n", res); + { + fprintf (stderr, "MULT16_16_16: output is not short: %d\n", res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips++; return res; } @@ -329,8 +369,14 @@ static inline int MULT16_16_Q11_32(int a, int b) } res = ((long long)a)*b; res >>= 11; - if (!VERIFY_INT(res)) - fprintf (stderr, "MULT16_16_Q11: output is not short: %d*%d=%d\n", (int)a, (int)b, (int)res); + if (!VERIFY_SHORT(res)) + { + fprintf (stderr, "MULT16_16_Q11: output is not short: %d*%d=%d\n", (int)a, (int)b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=3; return res; } @@ -344,7 +390,13 @@ static inline short MULT16_16_Q13(int a, int b) res = ((long long)a)*b; res >>= 13; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_Q13: output is not short: %d*%d=%d\n", a, b, (int)res); + { + fprintf (stderr, "MULT16_16_Q13: output is not short: %d*%d=%d\n", a, b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=3; return res; } @@ -358,7 +410,13 @@ static inline short MULT16_16_Q14(int a, int b) res = ((long long)a)*b; res >>= 14; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_Q14: output is not short: %d\n", (int)res); + { + fprintf (stderr, "MULT16_16_Q14: output is not short: %d\n", (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=3; return res; } @@ -373,7 +431,11 @@ static inline short MULT16_16_Q15(int a, int b) res >>= 15; if (!VERIFY_SHORT(res)) { - fprintf (stderr, "MULT16_16_Q15: output is not short: %d\n", (int)res); + fprintf(stderr, "MULT16_16_P14: output is not short: %d*%d=%d\n", a, b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; } spx_mips+=3; return res; @@ -392,7 +454,13 @@ static inline short MULT16_16_P13(int a, int b) fprintf (stderr, "MULT16_16_P13: overflow: %d*%d=%d\n", a, b, (int)res); res >>= 13; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_P13: output is not short: %d*%d=%d\n", a, b, (int)res); + { + fprintf (stderr, "MULT16_16_P13: output is not short: %d*%d=%d\n", a, b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=4; return res; } @@ -409,7 +477,13 @@ static inline short MULT16_16_P14(int a, int b) fprintf (stderr, "MULT16_16_P14: overflow: %d*%d=%d\n", a, b, (int)res); res >>= 14; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_P14: output is not short: %d*%d=%d\n", a, b, (int)res); + { + fprintf(stderr, "MULT16_16_P14: output is not short: %d*%d=%d\n", a, b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=4; return res; } @@ -426,7 +500,13 @@ static inline short MULT16_16_P15(int a, int b) fprintf (stderr, "MULT16_16_P15: overflow: %d*%d=%d\n", a, b, (int)res); res >>= 15; if (!VERIFY_SHORT(res)) - fprintf (stderr, "MULT16_16_P15: output is not short: %d*%d=%d\n", a, b, (int)res); + { + fprintf(stderr, "MULT16_16_P14: output is not short: %d*%d=%d\n", a, b, (int)res); + if (res > 32767) + res = 32767; + if (res < -32768) + res = -32768; + } spx_mips+=4; return res; } From 837143eb71bfe49891292e8ac6cb02bf82383411 Mon Sep 17 00:00:00 2001 From: Dutchman101 <12105539+Dutchman101@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:04:55 +0000 Subject: [PATCH 2/3] Fix OOB Security fix. Array index out of bounds --- libspeex/vorbis_psy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libspeex/vorbis_psy.c b/libspeex/vorbis_psy.c index cb385b7a..d2f6fc75 100644 --- a/libspeex/vorbis_psy.c +++ b/libspeex/vorbis_psy.c @@ -342,11 +342,14 @@ VorbisPsy *vorbis_psy_init(int rate, int n) inthalfoc=(int)halfoc; del=halfoc-inthalfoc; + if (halfoc < P_BANDS-1) { p->noiseoffset[i]= p->vi->noiseoff[inthalfoc]*(1.-del) + p->vi->noiseoff[inthalfoc+1]*del; - - } + } else { + p->noiseoffset[i]= + p->vi->noiseoff[inthalfoc]*(1.-del); +} #if 0 _analysis_output_always("noiseoff0",ls,p->noiseoffset,n,1,0,0); #endif From 0eabaf84b0e2f231f77510e2e612ff317405b3fd Mon Sep 17 00:00:00 2001 From: Dutchman101 Date: Mon, 17 Feb 2025 13:07:00 +0100 Subject: [PATCH 3/3] Revert "Fix OOB" This reverts commit 837143eb71bfe49891292e8ac6cb02bf82383411. The commit wasn't intended for this branch/repo, i will add it into another PR. --- libspeex/vorbis_psy.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libspeex/vorbis_psy.c b/libspeex/vorbis_psy.c index d2f6fc75..cb385b7a 100644 --- a/libspeex/vorbis_psy.c +++ b/libspeex/vorbis_psy.c @@ -342,14 +342,11 @@ VorbisPsy *vorbis_psy_init(int rate, int n) inthalfoc=(int)halfoc; del=halfoc-inthalfoc; - if (halfoc < P_BANDS-1) { p->noiseoffset[i]= p->vi->noiseoff[inthalfoc]*(1.-del) + p->vi->noiseoff[inthalfoc+1]*del; - } else { - p->noiseoffset[i]= - p->vi->noiseoff[inthalfoc]*(1.-del); -} + + } #if 0 _analysis_output_always("noiseoff0",ls,p->noiseoffset,n,1,0,0); #endif