Summary
Several codec paths rely on signed overflow, implementation-defined narrowing, or unchecked shift counts when used with full-range int32_t inputs or malformed streams.
Affected areas
src/codec/simd/neon.cppsrc/codec/lac/decoder.cppsrc/codec/block/encoder.cppsrc/codec/block/decoder.cppsrc/codec/rice/rice.cppsrc/codec/lpc/lpc.cpp
Problem details
Known cases:
- mid/side scalar encode computes
l + r and l - r in int32_t
- mid/side decode reconstructs with signed
int32_t expressions
- fixed/FIR residual and restore paths narrow unchecked
int64_t values to int32_t
Rice::encode/decode accepts k >= 32, which is invalid for 32-bit shifts- LPC autocorrelation uses
int64_t accumulation while public APIs accept arbitrary int32_t samples
Acceptance criteria
- Use explicit widened arithmetic and range checks where required.
- Reject or clamp malformed decode states consistently according to format rules.
- Add sanitizer-backed tests for boundary values, including full-range
int32_t synthetic inputs where applicable.
- Add direct Rice tests for invalid
k and k == 31 boundary behavior.
Summary
Several codec paths rely on signed overflow, implementation-defined narrowing, or unchecked shift counts when used with full-range
int32_tinputs or malformed streams.Affected areas
src/codec/simd/neon.cppsrc/codec/lac/decoder.cppsrc/codec/block/encoder.cppsrc/codec/block/decoder.cppsrc/codec/rice/rice.cppsrc/codec/lpc/lpc.cppProblem details
Known cases:
l + randl - rinint32_tint32_texpressionsint64_tvalues toint32_tRice::encode/decodeacceptsk >= 32, which is invalid for 32-bit shiftsint64_taccumulation while public APIs accept arbitraryint32_tsamplesAcceptance criteria
int32_tsynthetic inputs where applicable.kandk == 31boundary behavior.