Skip to content

Prevent heap overflow in channel-pair reconstruction#217

Merged
fabiangreffrath merged 1 commit intoknik0:masterfrom
kevin-valerio:master
Mar 25, 2026
Merged

Prevent heap overflow in channel-pair reconstruction#217
fabiangreffrath merged 1 commit intoknik0:masterfrom
kevin-valerio:master

Conversation

@kevin-valerio
Copy link
Copy Markdown
Contributor

@kevin-valerio kevin-valerio commented Mar 25, 2026

This PR fixes a security bug in the SBR QMF synthesis path where a channel-pair element could keep a stale, undersized time_out buffer after reallocation. In that state, SBR synthesis can write past the end of the heap buffer.

The fix makes allocate_channel_pair() always free and reallocate time_out and fb_intermed based on the current upsampling state to prevent the OOB write.

@kevin-valerio
SBR: prevent heap overflow in channel-pair reconstruction
2d6d90d 
allocate_channel_pair() previously only allocated time_out/fb_intermed when NULL, which could leave a stale undersized time_out buffer when SBR becomes active after element reallocation. Always free and reallocate these buffers based on the current SBR state to prevent out-of-bounds writes during SBR QMF synthesis.
fabiangreffrath
fabiangreffrath approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@fabiangreffrath fabiangreffrath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much!

@fabiangreffrath fabiangreffrath merged commit f2f4e8e into knik0:master Mar 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabiangreffrath fabiangreffrath fabiangreffrath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevin-valerio @fabiangreffrath