opus - Apr 2015 - Availability of the 1.1.1 stable version

Hi Jean-Marc,

Thanks for your response. Please find the details as below.

*Backtrace we got for this crash:*

#0  0x0000000000800c54 in opus_decode_frame (st=0x38906b8f99d09c5,

    data=0xf0aa10b4ef1008ae <Address 0xf0aa10b4ef1008ae out of bounds>,
len=-188613428, pcm=0x6e80016085efd57,

    frame_size=44037315, decode_fec=58716895) at src/opus_decoder.c:384


#1  0x00000000008009c0 in opus_decode_frame (st=0x712357d0,

    data=0x7effff9ab72d "~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
\220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
\237\"\206z\005\213?u at e", len=88, pcm=0x7effff9a6a80,
frame_size=640,
decode_fec=0) at src/opus_decoder.c:319


#2  0x0000000000801be1 in opus_decode_native (st=0x712357d0,

    data=0x7effff9ab72d "~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
\220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
\237\"\206z\005\213?u at e", len=89, pcm=0x7effff9a6a80,
frame_size=640,
decode_fec=0, self_delimited=0,

    packet_offset=0x0, soft_clip=1) at src/opus_decoder.c:681


#3  0x000000000080226c in opus_decode (st=0x712357d0,

    data=0x7effff9ab72c "?~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
\220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
\237\"\206z\005\213?u at e", len=89, pcm=0x71245a60, frame_size=640,
decode_fec=0) at src/opus_decoder.c:867


#4  0x00000000004fd6b5 in kn_opus_decode (decHandle=0x712357d0,
decProp=0x1675698, src=0x16756d0, dest=0x71245a60,

    dstLen=0x1673210) at MSTranscodeOPUS.c:100


*And the code flow what we have observed for this specific incident:*

*Called this as mode is CELT_ONLY,*

   if (data!=NULL && st->prev_mode > 0 && (
       (mode == MODE_CELT_ONLY && st->prev_mode != MODE_CELT_ONLY
&&
!st->prev_redundancy)
    || (mode != MODE_CELT_ONLY && st->prev_mode == MODE_CELT_ONLY) )
      )
   {
      *transition = 1*;
      /* Decide where to allocate the stack memory for pcm_transition */
      if (mode == MODE_CELT_ONLY)
         pcm_transition_celt_size = F5*st->channels;
      else
         pcm_transition_silk_size = F5*st->channels;
   }

*So transition is made as 1 called this,*

   if (transition && mode == MODE_CELT_ONLY)
   {
      pcm_transition = pcm_transition_celt;
      opus_decode_frame(st, NULL, 0, pcm_transition, IMIN(F5, audiosize),
0);
   }

*In "opus_decode_frame" again, as data is passed as NULL, goes to else
part*

   if (data != NULL)
   {
      audiosize = st->frame_size;
      mode = st->mode;
      ec_dec_init(&dec,(unsigned char*)data,len);
   } else {
      audiosize = frame_size;
      mode = st->prev_mode;

*As the mode is made as prev mode now, which was a silk, this goes inside,*

  /* SILK processing */
   if (mode != MODE_CELT_ONLY)
   {

*Then in this function called this*,

        silk_ret = silk_Decode( silk_dec, &st->DecControl,
                                lost_flag, first_frame, &dec, pcm_ptr,
&silk_frame_size );


*And finally, somehow, the "silk_frame_size" is a negative value ( say
-1376272 in our case), then in the same function called the below and this
crashes here.*

 pcm_ptr += silk_frame_size * st->channels;


Please help.

Thanks
Suresh













On 12 April 2015 at 21:23, Jean-Marc Valin <jmvalin at jmvalin.ca> wrote:
> Do you have any file that demonstrates the problem with either opus_demo
> or opusdec?
>
>         Jean-Marc
>
> On 09/04/15 04:01 AM, Suresh Thiriveedi wrote:
> > Hi,
> >
> > I'm curious to know when would be the 1.1.1 stable version
available.
> >
> > In 1.1, we are facing crash when opus library is trying to decode the
> > CELT-only, full band and 20 ms. So we tried with 1.1.1 beta and it
looks
> > to be fine. Is there any open issue regarding this in 1.1 version?
> >
> > Thanks
> > Suresh
> >
> >
> > _______________________________________________
> > opus mailing list
> > opus at xiph.org
> > http://lists.xiph.org/mailman/listinfo/opus
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.xiph.org/pipermail/opus/attachments/20150413/8b54fbae/attachment.htm

Hi  Jean-Marc,

Could you please update if you got a chance to look into. As I mentioned, I
don't see the same issue in 1.1.1, but I don't see any difference in
1.1.1
other than optimization based on the architecture. This optimization could
have fixed some stack overflow issue in some specific cases?


Thanks
Suresh

On 13 April 2015 at 12:39, Suresh Thiriveedi <sthiriveedi at gmail.com>
wrote:
> Hi Jean-Marc,
>
> Thanks for your response. Please find the details as below.
>
> *Backtrace we got for this crash:*
>
> #0  0x0000000000800c54 in opus_decode_frame (st=0x38906b8f99d09c5,
>
>     data=0xf0aa10b4ef1008ae <Address 0xf0aa10b4ef1008ae out of
bounds>,
> len=-188613428, pcm=0x6e80016085efd57,
>
>     frame_size=44037315, decode_fec=58716895) at src/opus_decoder.c:384
>
>
> #1  0x00000000008009c0 in opus_decode_frame (st=0x712357d0,
>
>     data=0x7effff9ab72d "~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
> \220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
> \237\"\206z\005\213?u at e", len=88, pcm=0x7effff9a6a80,
frame_size=640,
> decode_fec=0) at src/opus_decoder.c:319
>
>
> #2  0x0000000000801be1 in opus_decode_native (st=0x712357d0,
>
>     data=0x7effff9ab72d "~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
> \220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
> \237\"\206z\005\213?u at e", len=89, pcm=0x7effff9a6a80,
frame_size=640,
> decode_fec=0, self_delimited=0,
>
>     packet_offset=0x0, soft_clip=1) at src/opus_decoder.c:681
>
>
> #3  0x000000000080226c in opus_decode (st=0x712357d0,
>
>     data=0x7effff9ab72c
"?~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???
> \220\233\066s?\030#gb\rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?
> \237\"\206z\005\213?u at e", len=89, pcm=0x71245a60,
frame_size=640,
> decode_fec=0) at src/opus_decoder.c:867
>
>
> #4  0x00000000004fd6b5 in kn_opus_decode (decHandle=0x712357d0,
> decProp=0x1675698, src=0x16756d0, dest=0x71245a60,
>
>     dstLen=0x1673210) at MSTranscodeOPUS.c:100
>
>
> *And the code flow what we have observed for this specific incident:*
>
> *Called this as mode is CELT_ONLY,*
>
>    if (data!=NULL && st->prev_mode > 0 && (
>        (mode == MODE_CELT_ONLY && st->prev_mode !=
MODE_CELT_ONLY &&
> !st->prev_redundancy)
>     || (mode != MODE_CELT_ONLY && st->prev_mode ==
MODE_CELT_ONLY) )
>       )
>    {
>       *transition = 1*;
>       /* Decide where to allocate the stack memory for pcm_transition */
>       if (mode == MODE_CELT_ONLY)
>          pcm_transition_celt_size = F5*st->channels;
>       else
>          pcm_transition_silk_size = F5*st->channels;
>    }
>
> *So transition is made as 1 called this,*
>
>    if (transition && mode == MODE_CELT_ONLY)
>    {
>       pcm_transition = pcm_transition_celt;
>       opus_decode_frame(st, NULL, 0, pcm_transition, IMIN(F5, audiosize),
> 0);
>    }
>
> *In "opus_decode_frame" again, as data is passed as NULL, goes to
else
> part*
>
>    if (data != NULL)
>    {
>       audiosize = st->frame_size;
>       mode = st->mode;
>       ec_dec_init(&dec,(unsigned char*)data,len);
>    } else {
>       audiosize = frame_size;
>       mode = st->prev_mode;
>
> *As the mode is made as prev mode now, which was a silk, this goes inside,*
>
>   /* SILK processing */
>    if (mode != MODE_CELT_ONLY)
>    {
>
> *Then in this function called this*,
>
>         silk_ret = silk_Decode( silk_dec, &st->DecControl,
>                                 lost_flag, first_frame, &dec, pcm_ptr,
> &silk_frame_size );
>
>
> *And finally, somehow, the "silk_frame_size" is a negative value
( say
> -1376272 in our case), then in the same function called the below and this
> crashes here.*
>
>  pcm_ptr += silk_frame_size * st->channels;
>
>
> Please help.
>
> Thanks
> Suresh
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 12 April 2015 at 21:23, Jean-Marc Valin <jmvalin at jmvalin.ca>
wrote:
>
>> Do you have any file that demonstrates the problem with either
opus_demo
>> or opusdec?
>>
>>         Jean-Marc
>>
>> On 09/04/15 04:01 AM, Suresh Thiriveedi wrote:
>> > Hi,
>> >
>> > I'm curious to know when would be the 1.1.1 stable version
available.
>> >
>> > In 1.1, we are facing crash when opus library is trying to decode
the
>> > CELT-only, full band and 20 ms. So we tried with 1.1.1 beta and it
looks
>> > to be fine. Is there any open issue regarding this in 1.1 version?
>> >
>> > Thanks
>> > Suresh
>> >
>> >
>> > _______________________________________________
>> > opus mailing list
>> > opus at xiph.org
>> > http://lists.xiph.org/mailman/listinfo/opus
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.xiph.org/pipermail/opus/attachments/20150416/4ced6274/attachment.htm

Please provide the input file that produces this with opus_demo.

On 16/04/15 03:24 AM, Suresh Thiriveedi wrote:
> Hi  Jean-Marc,
> 
> Could you please update if you got a chance to look into. As I
> mentioned, I don't see the same issue in 1.1.1, but I don't see any
> difference in 1.1.1 other than optimization based on the architecture.
> This optimization could have fixed some stack overflow issue in some
> specific cases?
> 
> 
> Thanks
> Suresh
> 
> On 13 April 2015 at 12:39, Suresh Thiriveedi <sthiriveedi at gmail.com
> <mailto:sthiriveedi at gmail.com>> wrote:
> 
>     Hi Jean-Marc,
> 
>     Thanks for your response. Please find the details as below.
> 
>     *_Backtrace we got for this crash:_*
> 
>     #0  0x0000000000800c54 in opus_decode_frame (st=0x38906b8f99d09c5,
> 
>         data=0xf0aa10b4ef1008ae <Address 0xf0aa10b4ef1008ae out of
>     bounds>, len=-188613428, pcm=0x6e80016085efd57,
> 
>         frame_size=44037315, decode_fec=58716895) at src/opus_decoder.c:384
> 
> 
>     #1  0x00000000008009c0 in opus_decode_frame (st=0x712357d0,
> 
>         data=0x7effff9ab72d
>    
"~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???\220\233\066s?\030#gb
>     \rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?\237\"\206z\005
>     \213?u at e", len=88, pcm=0x7effff9a6a80, frame_size=640,
decode_fec=0)
>     at src/opus_decoder.c:319
> 
> 
>     #2  0x0000000000801be1 in opus_decode_native (st=0x712357d0,
> 
>         data=0x7effff9ab72d
>    
"~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???\220\233\066s?\030#gb
>     \rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?\237\"\206z\005
>     \213?u at e", len=89, pcm=0x7effff9a6a80, frame_size=640,
decode_fec=0,
>     self_delimited=0,
> 
>         packet_offset=0x0, soft_clip=1) at src/opus_decoder.c:681
> 
> 
>     #3  0x000000000080226c in opus_decode (st=0x712357d0,
> 
>         data=0x7effff9ab72c
>    
"?~?`\\?K\005??y?w+g~?S2\025?\036T?\002x??h!???\220\233\066s?\030#gb
>     \rn?rF\005Q?\213;?`\207$O?(m\222=9??/h??t??E?w?\237\"\206z\005
>     \213?u at e", len=89, pcm=0x71245a60, frame_size=640,
decode_fec=0) at
>     src/opus_decoder.c:867
> 
> 
>     #4  0x00000000004fd6b5 in kn_opus_decode (decHandle=0x712357d0,
>     decProp=0x1675698, src=0x16756d0, dest=0x71245a60,
> 
>         dstLen=0x1673210) at MSTranscodeOPUS.c:100
> 
> 
> 
>     *_And the code flow what we have observed for this specific incident:_*
>     *_
>     _*
>     *_Called this as mode is CELT_ONLY,_*
> 
>        if (data!=NULL && st->prev_mode > 0 && (
>            (mode == MODE_CELT_ONLY && st->prev_mode !=
MODE_CELT_ONLY &&
>     !st->prev_redundancy)
>         || (mode != MODE_CELT_ONLY && st->prev_mode ==
MODE_CELT_ONLY) )
>           )
>        {
>           _transition = 1_;
>           /* Decide where to allocate the stack memory for pcm_transition
*/
>           if (mode == MODE_CELT_ONLY)
>              pcm_transition_celt_size = F5*st->channels;
>           else
>              pcm_transition_silk_size = F5*st->channels;
>        }
> 
>     *_So transition is made as 1 called this,_*
> 
>        if (transition && mode == MODE_CELT_ONLY)
>        {
>           pcm_transition = pcm_transition_celt;
>           opus_decode_frame(st, NULL, 0, pcm_transition, IMIN(F5,
>     audiosize), 0);
>        }
> 
>     *_In "opus_decode_frame" again, as data is passed as NULL,
goes to
>     else part_*
> 
>        if (data != NULL)
>        {
>           audiosize = st->frame_size;
>           mode = st->mode;
>           ec_dec_init(&dec,(unsigned char*)data,len);
>        } else {
>           audiosize = frame_size;
>           mode = st->prev_mode;
> 
>     *_As the mode is made as prev mode now, which was a silk, this goes
>     inside,_*
> 
>       /* SILK processing */
>        if (mode != MODE_CELT_ONLY)
>        {
> 
>     *_Then in this function called this_*,
> 
>             silk_ret = silk_Decode( silk_dec, &st->DecControl,
>                                     lost_flag, first_frame, &dec,
>     pcm_ptr, &silk_frame_size );
> 
> 
>     *_And finally, somehow, the "silk_frame_size" is a negative
value (
>     say -1376272 in our case), then in the same function called the
>     below and this crashes here._*
> 
>      pcm_ptr += silk_frame_size * st->channels;
> 
> 
>     Please help.
> 
>     Thanks
>     Suresh
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>     On 12 April 2015 at 21:23, Jean-Marc Valin <jmvalin at jmvalin.ca
>     <mailto:jmvalin at jmvalin.ca>> wrote:
> 
>         Do you have any file that demonstrates the problem with either
>         opus_demo
>         or opusdec?
> 
>                 Jean-Marc
> 
>         On 09/04/15 04:01 AM, Suresh Thiriveedi wrote:
>         > Hi,
>         >
>         > I'm curious to know when would be the 1.1.1 stable version
>         available.
>         >
>         > In 1.1, we are facing crash when opus library is trying to
>         decode the
>         > CELT-only, full band and 20 ms. So we tried with 1.1.1 beta
>         and it looks
>         > to be fine. Is there any open issue regarding this in 1.1
version?
>         >
>         > Thanks
>         > Suresh
>         >
>         >
>         > _______________________________________________
>         > opus mailing list
>         > opus at xiph.org <mailto:opus at xiph.org>
>         > http://lists.xiph.org/mailman/listinfo/opus
>         >
> 
> 
>