idnits 2.17.1
draft-ietf-codec-opus-update-09.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
document.
-- The draft header indicates that this document updates RFC6716, but the
abstract doesn't seem to directly say this. It does mention RFC6716
though, so this could be OK.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 415 has weird spacing: '...5ee2acc testv...'
== Line 421 has weird spacing: '...5705ecb testv...'
-- The document date (August 17, 2017) is 2434 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group JM. Valin
3 Internet-Draft Mozilla Corporation
4 Updates: 6716 (if approved) K. Vos
5 Intended status: Standards Track vocTone
6 Expires: February 18, 2018 August 17, 2017
8 Updates to the Opus Audio Codec
9 draft-ietf-codec-opus-update-09
11 Abstract
13 This document addresses minor issues that were found in the
14 specification of the Opus audio codec in RFC 6716. It updates the
15 nornative decoder implementation included in the appendix of RFC
16 6716. The changes fixes real and potential security-related issues,
17 as well minor quality-related issues.
19 Status of This Memo
21 This Internet-Draft is submitted in full conformance with the
22 provisions of BCP 78 and BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF). Note that other groups may also distribute
26 working documents as Internet-Drafts. The list of current Internet-
27 Drafts is at http://datatracker.ietf.org/drafts/current/.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 This Internet-Draft will expire on February 18, 2018.
36 Copyright Notice
38 Copyright (c) 2017 IETF Trust and the persons identified as the
39 document authors. All rights reserved.
41 This document is subject to BCP 78 and the IETF Trust's Legal
42 Provisions Relating to IETF Documents
43 (http://trustee.ietf.org/license-info) in effect on the date of
44 publication of this document. Please review these documents
45 carefully, as they describe your rights and restrictions with respect
46 to this document. Code Components extracted from this document must
47 include Simplified BSD License text as described in Section 4.e of
48 the Trust Legal Provisions and are provided without warranty as
49 described in the Simplified BSD License.
51 Table of Contents
53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
55 3. Stereo State Reset in SILK . . . . . . . . . . . . . . . . . 3
56 4. Parsing of the Opus Packet Padding . . . . . . . . . . . . . 3
57 5. Resampler buffer . . . . . . . . . . . . . . . . . . . . . . 4
58 6. Integer wrap-around in inverse gain computation . . . . . . . 6
59 7. Integer wrap-around in LSF decoding . . . . . . . . . . . . . 6
60 8. Cap on Band Energy . . . . . . . . . . . . . . . . . . . . . 7
61 9. Hybrid Folding . . . . . . . . . . . . . . . . . . . . . . . 7
62 10. Downmix to Mono . . . . . . . . . . . . . . . . . . . . . . . 9
63 11. New Test Vectors . . . . . . . . . . . . . . . . . . . . . . 9
64 12. Security Considerations . . . . . . . . . . . . . . . . . . . 10
65 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
66 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
67 15. Normative References . . . . . . . . . . . . . . . . . . . . 11
68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
70 1. Introduction
72 This document addresses minor issues that were discovered in the
73 reference implementation of the Opus codec. Unlike most IETF
74 specifications, Opus is defined in RFC 6716 [RFC6716] in terms of a
75 normative reference decoder implementation rather than from the
76 associated text description. That RFC includes the reference decoder
77 implementation as Appendix A. That's why only issues affecting the
78 decoder are listed here. An up-to-date implementation of the Opus
79 encoder can be found at .
81 Some of the changes in this document update normative behaviour in a
82 way that requires new test vectors. The English text of the
83 specification is unaffected, only the C implementation is. The
84 updated specification remains fully compatible with the original
85 specification.
87 Note: due to RFC formatting conventions, lines exceeding the column
88 width in the patch are split using a backslash character. The
89 backslashes at the end of a line and the white space at the beginning
90 of the following line are not part of the patch. A properly
91 formatted patch including all changes is available at
92 and has a SHA-1 hash of
94 029e3aa88fc342c91e67a21e7bfbc9458661cd5f.
96 2. Terminology
98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
100 document are to be interpreted as described in RFC 2119 [RFC2119].
102 3. Stereo State Reset in SILK
104 The reference implementation does not reinitialize the stereo state
105 during a mode switch. The old stereo memory can produce a brief
106 impulse (i.e. single sample) in the decoded audio. This can be fixed
107 by changing silk/dec_API.c at line 72:
109
110 for( n = 0; n < DECODER_NUM_CHANNELS; n++ ) {
111 ret = silk_init_decoder( &channel_state[ n ] );
112 }
113 + silk_memset(&((silk_decoder *)decState)->sStereo, 0,
114 + sizeof(((silk_decoder *)decState)->sStereo));
115 + /* Not strictly needed, but it's cleaner that way */
116 + ((silk_decoder *)decState)->prev_decode_only_middle = 0;
118 return ret;
119 }
120
122 This change affects the normative output of the decoder, but the
123 amount of change is within the tolerance and too small to make the
124 testvector check fail.
126 4. Parsing of the Opus Packet Padding
128 It was discovered that some invalid packets of very large size could
129 trigger an out-of-bounds read in the Opus packet parsing code
130 responsible for padding. This is due to an integer overflow if the
131 signaled padding exceeds 2^31-1 bytes (the actual packet may be
132 smaller). The code can be fixed by decrementing the (signed) len
133 value, instead of incrementing a separate padding counter. This is
134 done by applying the following changes at line 596 of src/
135 opus_decoder.c:
137
138 /* Padding flag is bit 6 */
139 if (ch&0x40)
140 {
141 - int padding=0;
142 int p;
143 do {
144 if (len<=0)
145 return OPUS_INVALID_PACKET;
146 p = *data++;
147 len--;
148 - padding += p==255 ? 254: p;
149 + len -= p==255 ? 254: p;
150 } while (p==255);
151 - len -= padding;
152 }
153
155 This packet parsing issue is limited to reading memory up to about 60
156 kB beyond the compressed buffer. This can only be triggered by a
157 compressed packet more than about 16 MB long, so it's not a problem
158 for RTP. In theory, it could crash a file decoder (e.g. Opus in
159 Ogg) if the memory just after the incoming packet is out-of-range,
160 but our attempts to trigger such a crash in a production application
161 built using an affected version of the Opus decoder failed.
163 5. Resampler buffer
165 The SILK resampler had the following issues:
167 1. The calls to memcpy() were using sizeof(opus_int32), but the type
168 of the local buffer was opus_int16.
170 2. Because the size was wrong, this potentially allowed the source
171 and destination regions of the memcpy() to overlap on the copy
172 from "buf" to "buf". We believe that nSamplesIn (number of input
173 samples) is at least fs_in_khZ (sampling rate in kHz), which is
174 at least 8. Since RESAMPLER_ORDER_FIR_12 is only 8, that should
175 not be a problem once the type size is fixed.
177 3. The size of the buffer used RESAMPLER_MAX_BATCH_SIZE_IN, but the
178 data stored in it was actually twice the input batch size
179 (nSamplesIn<<1).
181 The allocated buffers involved (buf and S->sFIR) are actually larger
182 than they need to be for the batch size used, so no out-of-bounds
183 read or write is possible. Therefore the bug cannot be exploited.
185 The code can be fixed by applying the following changes to line 78 of
186 silk/resampler_private_IIR_FIR.c:
188
189 )
190 {
191 silk_resampler_state_struct *S = \
192 (silk_resampler_state_struct *)SS;
193 opus_int32 nSamplesIn;
194 opus_int32 max_index_Q16, index_increment_Q16;
195 - opus_int16 buf[ RESAMPLER_MAX_BATCH_SIZE_IN + \
196 RESAMPLER_ORDER_FIR_12 ];
197 + opus_int16 buf[ 2*RESAMPLER_MAX_BATCH_SIZE_IN + \
198 RESAMPLER_ORDER_FIR_12 ];
200 /* Copy buffered samples to start of buffer */
201 - silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
202 * sizeof( opus_int32 ) );
203 + silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
204 * sizeof( opus_int16 ) );
206 /* Iterate over blocks of frameSizeIn input samples */
207 index_increment_Q16 = S->invRatio_Q16;
208 while( 1 ) {
209 nSamplesIn = silk_min( inLen, S->batchSize );
211 /* Upsample 2x */
212 silk_resampler_private_up2_HQ( S->sIIR, &buf[ \
213 RESAMPLER_ORDER_FIR_12 ], in, nSamplesIn );
215 max_index_Q16 = silk_LSHIFT32( nSamplesIn, 16 + 1 \
216 ); /* + 1 because 2x upsampling */
217 out = silk_resampler_private_IIR_FIR_INTERPOL( out, \
218 buf, max_index_Q16, index_increment_Q16 );
219 in += nSamplesIn;
220 inLen -= nSamplesIn;
222 if( inLen > 0 ) {
223 /* More iterations to do; copy last part of \
224 filtered signal to beginning of buffer */
225 - silk_memcpy( buf, &buf[ nSamplesIn << 1 ], \
226 RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
227 + silk_memmove( buf, &buf[ nSamplesIn << 1 ], \
228 RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
229 } else {
230 break;
231 }
232 }
233 /* Copy last part of filtered signal to the state for \
234 the next call */
235 - silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
236 RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
237 + silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
238 RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
239 }
240
242 6. Integer wrap-around in inverse gain computation
244 It was discovered through decoder fuzzing that some bitstreams could
245 produce integer values exceeding 32-bits in
246 LPC_inverse_pred_gain_QA(), causing a wrap-around. Although the
247 authors are not aware of any way to exploit the bug, the C standard
248 considers the behavior as undefined. The following patch to line 87
249 of silk/LPC_inv_pred_gain.c detects values that do not fit in a
250 32-bit integer and considers the corresponding filters unstable:
252
253 /* Update AR coefficient */
254 for( n = 0; n < k; n++ ) {
255 - tmp_QA = Aold_QA[ n ] - MUL32_FRAC_Q( \
256 Aold_QA[ k - n - 1 ], rc_Q31, 31 );
257 - Anew_QA[ n ] = MUL32_FRAC_Q( tmp_QA, rc_mult2 , mult2Q );
258 + opus_int64 tmp64;
259 + tmp_QA = silk_SUB_SAT32( Aold_QA[ n ], MUL32_FRAC_Q( \
260 Aold_QA[ k - n - 1 ], rc_Q31, 31 ) );
261 + tmp64 = silk_RSHIFT_ROUND64( silk_SMULL( tmp_QA, \
262 rc_mult2 ), mult2Q);
263 + if( tmp64 > silk_int32_MAX || tmp64 < silk_int32_MIN ) {
264 + return 0;
265 + }
266 + Anew_QA[ n ] = ( opus_int32 )tmp64;
267 }
268
270 7. Integer wrap-around in LSF decoding
272 It was discovered -- also from decoder fuzzing -- that an integer
273 wrap-around could occur when decoding bitstreams with extremely large
274 values for the high LSF parameters. The end result of the wrap-
275 around is an illegal read access on the stack, which the authors do
276 not believe is exploitable but should nonetheless be fixed. The
277 following patch to line 137 of silk/NLSF_stabilize.c prevents the
278 problem:
280
281 /* Keep delta_min distance between the NLSFs */
282 for( i = 1; i < L; i++ )
283 - NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
284 NLSF_Q15[i-1] + NDeltaMin_Q15[i] );
285 + NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
286 silk_ADD_SAT16( NLSF_Q15[i-1], NDeltaMin_Q15[i] ) );
288 /* Last NLSF should be no higher than 1 - NDeltaMin[L] */
289
291 8. Cap on Band Energy
293 On extreme bit-streams, it is possible for log-domain band energy
294 levels to exceed the maximum single-precision floating point value
295 once converted to a linear scale. This would later cause the decoded
296 values to be NaN (not a number), possibly causing problems in the
297 software using the PCM values. This can be avoided with the
298 following patch to line 552 of celt/quant_bands.c:
300
301 {
302 opus_val16 lg = ADD16(oldEBands[i+c*m->nbEBands],
303 SHL16((opus_val16)eMeans[i],6));
304 + lg = MIN32(QCONST32(32.f, 16), lg);
305 eBands[i+c*m->nbEBands] = PSHR32(celt_exp2(lg),4);
306 }
307 for (;inbEBands;i++)
308
310 9. Hybrid Folding
312 When encoding in hybrid mode at low bitrate, we sometimes only have
313 enough bits to code a single CELT band (8 - 9.6 kHz). When that
314 happens, the second band (CELT band 18, from 9.6 to 12 kHz) cannot
315 use folding because it is wider than the amount already coded, and
316 falls back to white noise. Because it can also happen on transients
317 (e.g. stops), it can cause audible pre-echo.
319 To address the issue, we change the folding behavior so that it is
320 never forced to fall back to LCG due to the first band not containing
321 enough coefficients to fold onto the second band. This is achieved
322 by simply repeating part of the first band in the folding of the
323 second band. This changes the code in celt/bands.c around line 1237:
325
326 b = 0;
327 }
329 - if (resynth && M*eBands[i]-N >= M*eBands[start] && \
330 (update_lowband || lowband_offset==0))
331 + if (resynth && (M*eBands[i]-N >= M*eBands[start] || \
332 i==start+1) && (update_lowband || lowband_offset==0))
333 lowband_offset = i;
335 + if (i == start+1)
336 + {
337 + int n1, n2;
338 + int offset;
339 + n1 = M*(eBands[start+1]-eBands[start]);
340 + n2 = M*(eBands[start+2]-eBands[start+1]);
341 + offset = M*eBands[start];
342 + /* Duplicate enough of the first band folding data to \
343 be able to fold the second band.
344 + Copies no data for CELT-only mode. */
345 + OPUS_COPY(&norm[offset+n1], &norm[offset+2*n1 - n2], n2-n1);
346 + if (C==2)
347 + OPUS_COPY(&norm2[offset+n1], &norm2[offset+2*n1 - n2], \
348 n2-n1);
349 + }
350 +
351 tf_change = tf_res[i];
352 if (i>=m->effEBands)
353 {
354
356 as well as line 1260:
358
359 fold_start = lowband_offset;
360 while(M*eBands[--fold_start] > effective_lowband);
361 fold_end = lowband_offset-1;
362 - while(M*eBands[++fold_end] < effective_lowband+N);
363 + while(++fold_end < i && M*eBands[fold_end] < \
364 effective_lowband+N);
365 x_cm = y_cm = 0;
366 fold_i = fold_start; do {
367 x_cm |= collapse_masks[fold_i*C+0];
369
371 The fix does not impact compatibility, because the improvement does
372 not depend on the encoder doing anything special. There is also no
373 reasonable way for an encoder to use the original behavior to improve
374 quality over the proposed change.
376 10. Downmix to Mono
378 The last issue is not strictly a bug, but it is an issue that has
379 been reported when downmixing an Opus decoded stream to mono, whether
380 this is done inside the decoder or as a post-processing step on the
381 stereo decoder output. Opus intensity stereo allows optionally
382 coding the two channels 180-degrees out of phase on a per-band basis.
383 This provides better stereo quality than forcing the two channels to
384 be in phase, but when the output is downmixed to mono, the energy in
385 the affected bands is cancelled sometimes resulting in audible
386 artifacts.
388 As a work-around for this issue, the decoder MAY choose not to apply
389 the 180-degree phase shift. This can be useful when downmixing to
390 mono inside or outside of the decoder (e.g. user-controllable).
392 11. New Test Vectors
394 Changes in Section 9 and Section 10 have sufficient impact on the
395 testvectors to make them fail. For this reason, this document also
396 updates the Opus test vectors. The new test vectors now include two
397 decoded outputs for the same bitstream. The outputs with suffix 'm'
398 do not apply the CELT 180-degree phase shift as allowed in
399 Section 10, while the outputs without the suffix do. An
400 implementation is compliant as long as it passes either set of
401 vectors.
403 Any Opus implementation that passes either the original test vectors
404 from RFC 6716 [RFC6716] or one of the new sets of test vectors is
405 compliant with the Opus specification. However, newer
406 implementations SHOULD be based on the new test vectors rather than
407 the old ones.
409 The new test vectors are located at
410 . The SHA-1 hashes of the test vectors are:
413 e49b2862ceec7324790ed8019eb9744596d5be01 testvector01.bit
414 b809795ae1bcd606049d76de4ad24236257135e0 testvector02.bit
415 e0c4ecaeab44d35a2f5b6575cd996848e5ee2acc testvector03.bit
416 a0f870cbe14ebb71fa9066ef3ee96e59c9a75187 testvector04.bit
417 9b3d92b48b965dfe9edf7b8a85edd4309f8cf7c8 testvector05.bit
418 28e66769ab17e17f72875283c14b19690cbc4e57 testvector06.bit
419 bacf467be3215fc7ec288f29e2477de1192947a6 testvector07.bit
420 ddbe08b688bbf934071f3893cd0030ce48dba12f testvector08.bit
421 3932d9d61944dab1201645b8eeaad595d5705ecb testvector09.bit
422 521eb2a1e0cc9c31b8b740673307c2d3b10c1900 testvector10.bit
423 6bc8f3146fcb96450c901b16c3d464ccdf4d5d96 testvector11.bit
424 338c3f1b4b97226bc60bc41038becbc6de06b28f testvector12.bit
425 f5ef93884da6a814d311027918e9afc6f2e5c2c8 testvector01.dec
426 48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02.dec
427 d15567e919db2d0e818727092c0af8dd9df23c95 testvector03.dec
428 1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04.dec
429 b85675d81deef84a112c466cdff3b7aaa1d2fc76 testvector05.dec
430 55f0b191e90bfa6f98b50d01a64b44255cb4813e testvector06.dec
431 61e8b357ab090b1801eeb578a28a6ae935e25b7b testvector07.dec
432 a58539ee5321453b2ddf4c0f2500e856b3966862 testvector08.dec
433 bb96aad2cde188555862b7bbb3af6133851ef8f4 testvector09.dec
434 1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10.dec
435 b1fff72b74666e3027801b29dbc48b31f80dee0d testvector11.dec
436 98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12.dec
437 1e7d984ea3fbb16ba998aea761f4893fbdb30157 testvector01m.dec
438 48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02m.dec
439 d15567e919db2d0e818727092c0af8dd9df23c95 testvector03m.dec
440 1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04m.dec
441 d70b0bad431e7d463bc3da49bd2d49f1c6d0a530 testvector05m.dec
442 6ac1648c3174c95fada565161a6c78bdbe59c77d testvector06m.dec
443 fc5e2f709693738324fb4c8bdc0dad6dda04e713 testvector07m.dec
444 aad2ba397bf1b6a18e8e09b50e4b19627d479f00 testvector08m.dec
445 6feb7a7b9d7cdc1383baf8d5739e2a514bd0ba08 testvector09m.dec
446 1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10m.dec
447 fd3d3a7b0dfbdab98d37ed9aa04b659b9fefbd18 testvector11m.dec
448 98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12m.dec
450 Note that the decoder input bitstream files (.bit) are unchanged.
452 12. Security Considerations
454 This document fixes two security issues reported on Opus and that
455 affect the reference implementation in RFC 6716 [RFC6716]: CVE-
456 2013-0899 and CVE-
457 2017-0381 . CVE-
458 2013-0899 is fixed by Section 4 and could theoretically cause an
459 information leak, but the leaked information would at the very least
460 go through the decoder process before being accessible to the
461 attacker. Also, the bug can only be triggered by Opus packets at
462 least 24 MB in size. CVE-2017-0381 is fixed by Section 7 and can
463 only result in a 16-bit out-of-bounds read to a fixed location 256
464 bytes before a constant table. That location would normally be part
465 of an executable's read-only data segment, but if that is not the
466 case, the bug could at worst results in either a crash or the leakage
467 of 16 bits of information from that fixed memory location (if the
468 attacker has access to the decoded output). Despite the claims of
469 the CVE, the bug cannot results in arbitrary code execution. Beyond
470 the two fixed CVEs, this document adds no new security considerations
471 on top of RFC 6716 [RFC6716].
473 13. IANA Considerations
475 This document makes no request of IANA.
477 Note to RFC Editor: this section may be removed on publication as an
478 RFC.
480 14. Acknowledgements
482 We would like to thank Juri Aedla for reporting the issue with the
483 parsing of the Opus padding. Thanks to Felicia Lim for reporting the
484 LSF integer overflow issue. Also, thanks to Tina le Grand, Jonathan
485 Lennox, and Mark Harris for their feedback on this document.
487 15. Normative References
489 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
490 Requirement Levels", BCP 14, RFC 2119,
491 DOI 10.17487/RFC2119, March 1997, .
494 [RFC6716] Valin, JM., Vos, K., and T. Terriberry, "Definition of the
495 Opus Audio Codec", RFC 6716, DOI 10.17487/RFC6716,
496 September 2012, .
498 Authors' Addresses
500 Jean-Marc Valin
501 Mozilla Corporation
502 331 E. Evelyn Avenue
503 Mountain View, CA 94041
504 USA
506 Phone: +1 650 903-0800
507 Email: jmvalin@jmvalin.ca
508 Koen Vos
509 vocTone
511 Email: koenvos74@gmail.com