From f9a575547ed403cf6817cfaf9d82e031ee4154d6 Mon Sep 17 00:00:00 2001 From: Jean-Marc Valin Date: Thu, 1 Sep 2016 08:34:58 -0400 Subject: Adds two integer wrap-around issues to the update draft --- doc/draft-ietf-codec-opus-update.xml | 84 +++++++++++++++++++++++++++++------- 1 file changed, 68 insertions(+), 16 deletions(-) diff --git a/doc/draft-ietf-codec-opus-update.xml b/doc/draft-ietf-codec-opus-update.xml index 85228573..2cf57cc8 100644 --- a/doc/draft-ietf-codec-opus-update.xml +++ b/doc/draft-ietf-codec-opus-update.xml @@ -10,7 +10,7 @@ - Updates to the Opus Audio Codec @@ -47,7 +47,7 @@ - + This document addresses minor issues that were found in the specification @@ -62,8 +62,7 @@ RFC 6716. Only issues affecting the decoder are listed here. An up-to-date implementation of the Opus encoder can be found at http://opus-codec.org/. The updated specification remains fully compatible with - the original specification and only one of the changes results in any difference - in the audio output. + the original specification. @@ -225,19 +224,56 @@ RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) ); -
- The last issue is not strictly a bug, but it is an issue that has been reported - when downmixing an Opus decoded stream to mono, whether this is done inside the decoder - or as a post-processing step on the stereo decoder output. Opus intensity stereo allows - optionally coding the two channels 180-degrees out of phase on a per-band basis. - This provides better stereo quality than forcing the two channels to be in phase, - but when the output is downmixed to mono, the energy in the affected bands is cancelled - sometimes resulting in audible artefacts. +
+ + It was discovered through decoder fuzzing that some bitstreams could produce + integer values exceeding 32-bits in LPC_inverse_pred_gain_QA(), causing + a wrap-around. Although the error is harmless in practice, the C standard considers + the behaviour as undefined, so the following patch detects values + that would cause wrap-around and considers the corresponding filters unstable: - As a work-around for this issue, the decoder MAY choose not to apply the 180-degree - phase shift when the output is meant to be downmixed (inside or - outside of the decoder). +
+ silk_int32_MAX || tmp64 < silk_int32_MIN ) { ++ return 0; ++ } ++ Anew_QA[ n ] = ( opus_int32 )tmp64; + } +]]> +
+
+ +
+ + It was discovered -- also from decoder fuzzing -- that an integer wrap-around could + occur when decoding line spectral frequency coefficients from extreme bitstreams. + The end result of the wrap-around is an illegal read access on the stack, which + the authors do not believe is explitable but should nontheless be fixed. The following + patch avoids the problem: +
+ +
+
@@ -314,8 +350,24 @@ effective_lowband+N);
+
+ The last issue is not strictly a bug, but it is an issue that has been reported + when downmixing an Opus decoded stream to mono, whether this is done inside the decoder + or as a post-processing step on the stereo decoder output. Opus intensity stereo allows + optionally coding the two channels 180-degrees out of phase on a per-band basis. + This provides better stereo quality than forcing the two channels to be in phase, + but when the output is downmixed to mono, the energy in the affected bands is cancelled + sometimes resulting in audible artefacts. + + As a work-around for this issue, the decoder MAY choose not to apply the 180-degree + phase shift when the output is meant to be downmixed (inside or + outside of the decoder). + +
+ +
- Changes in and have + Changes in and have sufficient impact on the testvectors to make them fail. For this reason, this document also updates the Opus test vectors. The new test vectors now include two decoded outputs for the same bitstream. The outputs with -- cgit v1.2.3