Dear authors,
It seems that there exists potential division by zero error in vector_quantize function in src/programs/cdcn_train/vq.c in line 284.
|
Update_codebook(bin, vector, Nvecs, codes, Ncodes, Ndim); |
|
distortion = |
|
Distortion_and_cluster(bin, vector, Nvecs, codes, |
|
Ncodes, Ndim); |
|
improvement = (prevdist - distortion) / distortion; |
When an arbitrary input comes from
|
corpus_get_generic_featurevec(&buff, &length, Ndim); |
Distortion_and_cluster function can return 0
|
distortion = 0; |
|
for (i = 0; i < Nvecs; ++i) { |
|
mindist = 1.0e+32; |
|
nearest = 0; |
|
mindist = |
|
prune_distance(vector[i], codes[0], Ndim, mindist); |
|
for (j = 1; j < Ncodes; ++j) { |
|
codedist = |
|
prune_distance(vector[i], codes[j], Ndim, |
|
mindist); |
|
if (codedist < mindist) { |
|
mindist = codedist; |
|
nearest = j; |
|
} |
|
} |
|
bins[i] = nearest; |
|
distortion += mindist; |
|
t = *x++ - *y++; |
|
dist = t * t; |
|
for (i = 1; i < Ndim; ++i) { |
|
t = *x++ - *y++; |
|
dist += t * t; |
|
if (dist > mindist) |
|
break; |
|
} |
|
return (dist); |
The scenarios could be when input is homogeneous or when the number of codewords matches unique vectors.
A simple possible patch would be
+ if (! distortion) {
+ printf("division by zero: ...");
+ exit(...);
+ }
284 improvement = (prevdist - distortion) / distortion;
Also, there exists a potential memory allocation error causing the program to crash
at function areadfloat_part in sphinxtrain/src/libs/libio/s3io.c
When an arbitrary value r_len is given as an argument withsizeof(float) to calloc, it can return NULL
|
r_buf = calloc(r_len, sizeof(float)); |
When an arbitrary value for cur_ctl_sf comes from
|
if (fgets(li->buf + li->len, li->bsiz - li->len, li->fh) == NULL) { |
|
li = lineiter_start_clean(ctl_fp); |
|
|
|
if (li == NULL) { |
|
E_ERROR("Must be at least one line in the control file\n"); |
|
return S3_ERROR; |
|
} |
|
|
|
parse_ctl_line(li->buf, |
|
&next_ctl_path, |
|
cur_ctl_path = next_ctl_path; |
The following trace can cause the program to crash
|
ret = areadfloat_part(mk_filename(DATA_TYPE_MFCC, cur_ctl_path), |
|
cur_ctl_sf * veclen, |
|
(cur_ctl_ef + 1) * veclen - 1, |
|
cptr, (int *)&n_c); |
|
r_len = e_coeff - s_coeff + 1; |
|
r_buf = calloc(r_len, sizeof(float)); |
|
if (fread(r_buf, sizeof(float), r_len, fp) != r_len) { |
A simple possible patch would be
600 r_buf = calloc(r_len, sizeof(float));
+ if (r_len > INT_MAX / sizeof(float)) {
+ return -1;
+ }
These error was discovered by static analysis results
Dear authors,
It seems that there exists potential division by zero error in
vector_quantizefunction in src/programs/cdcn_train/vq.c in line 284.sphinxtrain/src/programs/cdcn_train/vq.c
Lines 280 to 284 in 811dfbf
When an arbitrary input comes from
sphinxtrain/src/programs/cdcn_train/main.c
Line 97 in 811dfbf
Distortion_and_clusterfunction can return 0sphinxtrain/src/programs/cdcn_train/vq.c
Lines 171 to 187 in 811dfbf
sphinxtrain/src/programs/cdcn_train/vq.c
Lines 81 to 89 in 811dfbf
The scenarios could be when input is homogeneous or when the number of codewords matches unique vectors.
A simple possible patch would be
Also, there exists a potential memory allocation error causing the program to crash
at function
areadfloat_partin sphinxtrain/src/libs/libio/s3io.cWhen an arbitrary value
r_lenis given as an argument withsizeof(float)to calloc, it can return NULLsphinxtrain/src/libs/libio/s3io.c
Line 600 in 811dfbf
When an arbitrary value for
cur_ctl_sfcomes fromsphinxtrain/src/libs/libsphinxbase/util/pio.c
Line 331 in 811dfbf
sphinxtrain/src/libs/libio/corpus.c
Lines 320 to 328 in 811dfbf
sphinxtrain/src/libs/libio/corpus.c
Line 1080 in 811dfbf
The following trace can cause the program to crash
sphinxtrain/src/libs/libio/corpus.c
Lines 1319 to 1322 in 811dfbf
sphinxtrain/src/libs/libio/s3io.c
Line 590 in 811dfbf
sphinxtrain/src/libs/libio/s3io.c
Line 600 in 811dfbf
sphinxtrain/src/libs/libio/s3io.c
Line 601 in 811dfbf
A simple possible patch would be
These error was discovered by static analysis results