Bug #914: Buffer overrun in YinUtil::yinProb - pYIN — pitch and note tracking in monophonic audio - Sound Software .ac.uk

Bug #914

Buffer overrun in YinUtil::yinProb

Added by Chris Cannam about 10 years ago. Updated about 10 years ago.

Status:

Resolved

Start date:

2014-04-01

Priority:

Normal

Due date:

Assignee:

Matthias Mauch

% Done:

Category:

Target version:

Description

spotted while running Valgrind on Tony:

3564 Invalid read of size 8
3564 at 0x626A25D: YinUtil::yinProb(double const*, unsigned long, unsigned long, unsigned long, unsigned long) (YinUtil.cpp:278)
3564 by 0x6267EC7: Yin::processProbabilisticYin(double const*) const (Yin.cpp:92)
3564 by 0x624432F: PYinVamp::process(float const* const*, _VampPlugin::Vamp::RealTime) (PYinVamp.cpp:372)

...

3564 Address 0xc2ac340 is 0 bytes after a block of size 8,192 alloc'd
3564 at 0x4C293B0: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
3564 by 0x6267E62: Yin::processProbabilisticYin(double const*) const (Yin.cpp:86)
3564 by 0x624432F: PYinVamp::process(float const* const*, _VampPlugin::Vamp::RealTime) (PYinVamp.cpp:372)

Looks like tau == maxTau-1 and so yinBuffer[tau+1] is yinBuffer[yinBufferSize] which (being zero-based) is indexing just beyond the end of the array.

History

#1 Updated by Chris Cannam about 10 years ago

Status changed from New to Resolved
Assignee set to Matthias Mauch

Likely fix committed in da92a0abc7c6 (for review)

#2 Updated by Matthias Mauch about 10 years ago

Thanks, that was quick. Just wanted to look into it. M

Also available in: Atom PDF

pYIN — pitch and note tracking in monophonic audio

Issues

Bug #914

Buffer overrun in YinUtil::yinProb

History

#1 Updated by Chris Cannam about 10 years ago

#2 Updated by Matthias Mauch about 10 years ago