1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
|
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-codec-opus-update-10"
ipr="trust200902" updates="6716">
<front>
<title abbrev="Opus Update">Updates to the Opus Audio Codec</title>
<author initials="JM" surname="Valin" fullname="Jean-Marc Valin">
<organization>Mozilla Corporation</organization>
<address>
<postal>
<street>331 E. Evelyn Avenue</street>
<city>Mountain View</city>
<region>CA</region>
<code>94041</code>
<country>USA</country>
</postal>
<phone>+1 650 903-0800</phone>
<email>jmvalin@jmvalin.ca</email>
</address>
</author>
<author initials="K." surname="Vos" fullname="Koen Vos">
<organization>vocTone</organization>
<address>
<postal>
<street></street>
<city></city>
<region></region>
<code></code>
<country></country>
</postal>
<phone></phone>
<email>koenvos74@gmail.com</email>
</address>
</author>
<date day="24" month="August" year="2017" />
<abstract>
<t>This document addresses minor issues that were found in the specification
of the Opus audio codec in RFC 6716. It updates the normative decoder implementation
included in the appendix of RFC 6716. The changes fixes real and potential security-related
issues, as well minor quality-related issues.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document addresses minor issues that were discovered in the reference
implementation of the Opus codec. Unlike most IETF specifications, Opus is defined
in <xref target="RFC6716">RFC 6716</xref> in terms of a normative reference
decoder implementation rather than from the associated text description.
That RFC includes the reference decoder implementation as Appendix A.
That's why only issues affecting the decoder are
listed here. An up-to-date implementation of the Opus encoder can be found at
<eref target="https://opus-codec.org/"/>.</t>
<t>
Some of the changes in this document update normative behaviour in a way that requires
new test vectors. The English text of the specification is unaffected, only
the C implementation is. The updated specification remains fully compatible with
the original specification.
</t>
<t>
Note: due to RFC formatting conventions, lines exceeding the column width
in the patch are split using a backslash character. The backslashes
at the end of a line and the white space at the beginning
of the following line are not part of the patch. A properly formatted patch
including all changes is available at
<eref target="https://www.ietf.org/proceedings/98/slides/materials-98-codec-opus-update-00.patch"/>
and has a SHA-1 hash of 029e3aa88fc342c91e67a21e7bfbc9458661cd5f.
</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
<section title="Stereo State Reset in SILK">
<t>The reference implementation does not reinitialize the stereo state
during a mode switch. The old stereo memory can produce a brief impulse
(i.e. single sample) in the decoded audio. This can be fixed by changing
silk/dec_API.c at line 72:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
for( n = 0; n < DECODER_NUM_CHANNELS; n++ ) {
ret = silk_init_decoder( &channel_state[ n ] );
}
+ silk_memset(&((silk_decoder *)decState)->sStereo, 0,
+ sizeof(((silk_decoder *)decState)->sStereo));
+ /* Not strictly needed, but it's cleaner that way */
+ ((silk_decoder *)decState)->prev_decode_only_middle = 0;
return ret;
}
<CODE ENDS>
]]></artwork>
</figure>
<t>
This change affects the normative output of the decoder, but the
amount of change is within the tolerance and too small to make the testvector check fail.
</t>
</section>
<section anchor="padding" title="Parsing of the Opus Packet Padding">
<t>It was discovered that some invalid packets of very large size could trigger
an out-of-bounds read in the Opus packet parsing code responsible for padding.
This is due to an integer overflow if the signaled padding exceeds 2^31-1 bytes
(the actual packet may be smaller). The code can be fixed by decrementing the
(signed) len value, instead of incrementing a separate padding counter.
This is done by applying the following changes at line 596 of src/opus_decoder.c:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
/* Padding flag is bit 6 */
if (ch&0x40)
{
- int padding=0;
int p;
do {
if (len<=0)
return OPUS_INVALID_PACKET;
p = *data++;
len--;
- padding += p==255 ? 254: p;
+ len -= p==255 ? 254: p;
} while (p==255);
- len -= padding;
}
<CODE ENDS>
]]></artwork>
</figure>
<t>This packet parsing issue is limited to reading memory up
to about 60 kB beyond the compressed buffer. This can only be triggered
by a compressed packet more than about 16 MB long, so it's not a problem
for RTP. In theory, it could crash a file
decoder (e.g. Opus in Ogg) if the memory just after the incoming packet
is out-of-range, but our attempts to trigger such a crash in a production
application built using an affected version of the Opus decoder failed.</t>
</section>
<section anchor="resampler" title="Resampler buffer">
<t>The SILK resampler had the following issues:
<list style="numbers">
<t>The calls to memcpy() were using sizeof(opus_int32), but the type of the
local buffer was opus_int16.</t>
<t>Because the size was wrong, this potentially allowed the source
and destination regions of the memcpy() to overlap on the copy from "buf" to "buf".
We believe that nSamplesIn (number of input samples) is at least fs_in_khZ (sampling rate in kHz),
which is at least 8.
Since RESAMPLER_ORDER_FIR_12 is only 8, that should not be a problem once
the type size is fixed.</t>
<t>The size of the buffer used RESAMPLER_MAX_BATCH_SIZE_IN, but the
data stored in it was actually twice the input batch size
(nSamplesIn<<1).</t>
</list></t>
<t>The code can be fixed by applying the following changes to line 78 of silk/resampler_private_IIR_FIR.c:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
)
{
silk_resampler_state_struct *S = \
(silk_resampler_state_struct *)SS;
opus_int32 nSamplesIn;
opus_int32 max_index_Q16, index_increment_Q16;
- opus_int16 buf[ RESAMPLER_MAX_BATCH_SIZE_IN + \
RESAMPLER_ORDER_FIR_12 ];
+ opus_int16 buf[ 2*RESAMPLER_MAX_BATCH_SIZE_IN + \
RESAMPLER_ORDER_FIR_12 ];
/* Copy buffered samples to start of buffer */
- silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
* sizeof( opus_int32 ) );
+ silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
* sizeof( opus_int16 ) );
/* Iterate over blocks of frameSizeIn input samples */
index_increment_Q16 = S->invRatio_Q16;
while( 1 ) {
nSamplesIn = silk_min( inLen, S->batchSize );
/* Upsample 2x */
silk_resampler_private_up2_HQ( S->sIIR, &buf[ \
RESAMPLER_ORDER_FIR_12 ], in, nSamplesIn );
max_index_Q16 = silk_LSHIFT32( nSamplesIn, 16 + 1 \
); /* + 1 because 2x upsampling */
out = silk_resampler_private_IIR_FIR_INTERPOL( out, \
buf, max_index_Q16, index_increment_Q16 );
in += nSamplesIn;
inLen -= nSamplesIn;
if( inLen > 0 ) {
/* More iterations to do; copy last part of \
filtered signal to beginning of buffer */
- silk_memcpy( buf, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
+ silk_memmove( buf, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
} else {
break;
}
}
/* Copy last part of filtered signal to the state for \
the next call */
- silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
+ silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
}
<CODE ENDS>
]]></artwork>
</figure>
</section>
<section title="Integer wrap-around in inverse gain computation">
<t>
It was discovered through decoder fuzzing that some bitstreams could produce
integer values exceeding 32-bits in LPC_inverse_pred_gain_QA(), causing
a wrap-around. The C standard considers
this behavior as undefined. The following patch to line 87 of silk/LPC_inv_pred_gain.c
detects values that do not fit in a 32-bit integer and considers the corresponding filters unstable:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
/* Update AR coefficient */
for( n = 0; n < k; n++ ) {
- tmp_QA = Aold_QA[ n ] - MUL32_FRAC_Q( \
Aold_QA[ k - n - 1 ], rc_Q31, 31 );
- Anew_QA[ n ] = MUL32_FRAC_Q( tmp_QA, rc_mult2 , mult2Q );
+ opus_int64 tmp64;
+ tmp_QA = silk_SUB_SAT32( Aold_QA[ n ], MUL32_FRAC_Q( \
Aold_QA[ k - n - 1 ], rc_Q31, 31 ) );
+ tmp64 = silk_RSHIFT_ROUND64( silk_SMULL( tmp_QA, \
rc_mult2 ), mult2Q);
+ if( tmp64 > silk_int32_MAX || tmp64 < silk_int32_MIN ) {
+ return 0;
+ }
+ Anew_QA[ n ] = ( opus_int32 )tmp64;
}
<CODE ENDS>
]]></artwork>
</figure>
</section>
<section title="Integer wrap-around in LSF decoding" anchor="lsf_overflow">
<t>
It was discovered -- also from decoder fuzzing -- that an integer wrap-around could
occur when decoding bitstreams with extremely large values for the high LSF parameters.
The end result of the wrap-around is an illegal read access on the stack, which
the authors do not believe is exploitable but should nonetheless be fixed. The following
patch to line 137 of silk/NLSF_stabilize.c prevents the problem:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
/* Keep delta_min distance between the NLSFs */
for( i = 1; i < L; i++ )
- NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
NLSF_Q15[i-1] + NDeltaMin_Q15[i] );
+ NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
silk_ADD_SAT16( NLSF_Q15[i-1], NDeltaMin_Q15[i] ) );
/* Last NLSF should be no higher than 1 - NDeltaMin[L] */
<CODE ENDS>
]]></artwork>
</figure>
</section>
<section title="Cap on Band Energy">
<t>On extreme bit-streams, it is possible for log-domain band energy levels
to exceed the maximum single-precision floating point value once converted
to a linear scale. This would later cause the decoded values to be NaN (not a number),
possibly causing problems in the software using the PCM values. This can be
avoided with the following patch to line 552 of celt/quant_bands.c:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
{
opus_val16 lg = ADD16(oldEBands[i+c*m->nbEBands],
SHL16((opus_val16)eMeans[i],6));
+ lg = MIN32(QCONST32(32.f, 16), lg);
eBands[i+c*m->nbEBands] = PSHR32(celt_exp2(lg),4);
}
for (;i<m->nbEBands;i++)
<CODE ENDS>
]]></artwork>
</figure>
</section>
<section title="Hybrid Folding" anchor="folding">
<t>When encoding in hybrid mode at low bitrate, we sometimes only have
enough bits to code a single CELT band (8 - 9.6 kHz). When that happens,
the second band (CELT band 18, from 9.6 to 12 kHz) cannot use folding
because it is wider than the amount already coded, and falls back to
white noise. Because it can also happen on transients (e.g. stops), it
can cause audible pre-echo.
</t>
<t>
To address the issue, we change the folding behavior so that it is
never forced to fall back to LCG due to the first band not containing
enough coefficients to fold onto the second band. This
is achieved by simply repeating part of the first band in the folding
of the second band. This changes the code in celt/bands.c around line 1237:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
b = 0;
}
- if (resynth && M*eBands[i]-N >= M*eBands[start] && \
(update_lowband || lowband_offset==0))
+ if (resynth && (M*eBands[i]-N >= M*eBands[start] || \
i==start+1) && (update_lowband || lowband_offset==0))
lowband_offset = i;
+ if (i == start+1)
+ {
+ int n1, n2;
+ int offset;
+ n1 = M*(eBands[start+1]-eBands[start]);
+ n2 = M*(eBands[start+2]-eBands[start+1]);
+ offset = M*eBands[start];
+ /* Duplicate enough of the first band folding data to \
be able to fold the second band.
+ Copies no data for CELT-only mode. */
+ OPUS_COPY(&norm[offset+n1], &norm[offset+2*n1 - n2], n2-n1);
+ if (C==2)
+ OPUS_COPY(&norm2[offset+n1], &norm2[offset+2*n1 - n2], \
n2-n1);
+ }
+
tf_change = tf_res[i];
if (i>=m->effEBands)
{
<CODE ENDS>
]]></artwork>
</figure>
<t>
as well as line 1260:
</t>
<figure>
<artwork><![CDATA[
<CODE BEGINS>
fold_start = lowband_offset;
while(M*eBands[--fold_start] > effective_lowband);
fold_end = lowband_offset-1;
- while(M*eBands[++fold_end] < effective_lowband+N);
+ while(++fold_end < i && M*eBands[fold_end] < \
effective_lowband+N);
x_cm = y_cm = 0;
fold_i = fold_start; do {
x_cm |= collapse_masks[fold_i*C+0];
<CODE ENDS>
]]></artwork>
</figure>
<t>
The fix does not impact compatibility, because the improvement does
not depend on the encoder doing anything special. There is also no
reasonable way for an encoder to use the original behavior to
improve quality over the proposed change.
</t>
</section>
<section title="Downmix to Mono" anchor="stereo">
<t>The last issue is not strictly a bug, but it is an issue that has been reported
when downmixing an Opus decoded stream to mono, whether this is done inside the decoder
or as a post-processing step on the stereo decoder output. Opus intensity stereo allows
optionally coding the two channels 180-degrees out of phase on a per-band basis.
This provides better stereo quality than forcing the two channels to be in phase,
but when the output is downmixed to mono, the energy in the affected bands is cancelled
sometimes resulting in audible artifacts.
</t>
<t>As a work-around for this issue, the decoder MAY choose not to apply the 180-degree
phase shift. This can be useful when downmixing to mono inside or
outside of the decoder (e.g. user-controllable).
</t>
</section>
<section title="New Test Vectors">
<t>Changes in <xref target="folding"/> and <xref target="stereo"/> have
sufficient impact on the testvectors to make them fail. For this reason,
this document also updates the Opus test vectors. The new test vectors now
include two decoded outputs for the same bitstream. The outputs with
suffix 'm' do not apply the CELT 180-degree phase shift as allowed in
<xref target="stereo"/>, while the outputs without the suffix do. An
implementation is compliant as long as it passes either set of vectors.
</t>
<t>
Any Opus implementation
that passes either the original test vectors from <xref target="RFC6716">RFC 6716</xref>
or one of the new sets of test vectors is compliant with the Opus specification. However, newer implementations
SHOULD be based on the new test vectors rather than the old ones.
</t>
<t>The new test vectors are located at
<eref target="https://www.ietf.org/proceedings/98/slides/materials-98-codec-opus-newvectors-00.tar.gz"/>.
The SHA-1 hashes of the test vectors are:
<figure>
<artwork>
<![CDATA[
e49b2862ceec7324790ed8019eb9744596d5be01 testvector01.bit
b809795ae1bcd606049d76de4ad24236257135e0 testvector02.bit
e0c4ecaeab44d35a2f5b6575cd996848e5ee2acc testvector03.bit
a0f870cbe14ebb71fa9066ef3ee96e59c9a75187 testvector04.bit
9b3d92b48b965dfe9edf7b8a85edd4309f8cf7c8 testvector05.bit
28e66769ab17e17f72875283c14b19690cbc4e57 testvector06.bit
bacf467be3215fc7ec288f29e2477de1192947a6 testvector07.bit
ddbe08b688bbf934071f3893cd0030ce48dba12f testvector08.bit
3932d9d61944dab1201645b8eeaad595d5705ecb testvector09.bit
521eb2a1e0cc9c31b8b740673307c2d3b10c1900 testvector10.bit
6bc8f3146fcb96450c901b16c3d464ccdf4d5d96 testvector11.bit
338c3f1b4b97226bc60bc41038becbc6de06b28f testvector12.bit
f5ef93884da6a814d311027918e9afc6f2e5c2c8 testvector01.dec
48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02.dec
d15567e919db2d0e818727092c0af8dd9df23c95 testvector03.dec
1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04.dec
b85675d81deef84a112c466cdff3b7aaa1d2fc76 testvector05.dec
55f0b191e90bfa6f98b50d01a64b44255cb4813e testvector06.dec
61e8b357ab090b1801eeb578a28a6ae935e25b7b testvector07.dec
a58539ee5321453b2ddf4c0f2500e856b3966862 testvector08.dec
bb96aad2cde188555862b7bbb3af6133851ef8f4 testvector09.dec
1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10.dec
b1fff72b74666e3027801b29dbc48b31f80dee0d testvector11.dec
98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12.dec
1e7d984ea3fbb16ba998aea761f4893fbdb30157 testvector01m.dec
48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02m.dec
d15567e919db2d0e818727092c0af8dd9df23c95 testvector03m.dec
1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04m.dec
d70b0bad431e7d463bc3da49bd2d49f1c6d0a530 testvector05m.dec
6ac1648c3174c95fada565161a6c78bdbe59c77d testvector06m.dec
fc5e2f709693738324fb4c8bdc0dad6dda04e713 testvector07m.dec
aad2ba397bf1b6a18e8e09b50e4b19627d479f00 testvector08m.dec
6feb7a7b9d7cdc1383baf8d5739e2a514bd0ba08 testvector09m.dec
1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10m.dec
fd3d3a7b0dfbdab98d37ed9aa04b659b9fefbd18 testvector11m.dec
98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12m.dec
]]>
</artwork>
</figure>
Note that the decoder input bitstream files (.bit) are unchanged.
</t>
</section>
<section anchor="security" title="Security Considerations">
<t>This document fixes two security issues reported on Opus and that affect the
reference implementation in <xref target="RFC6716">RFC 6716</xref>: CVE-2013-0899
<eref target="https://nvd.nist.gov/vuln/detail/CVE-2013-0899"/>
and CVE-2017-0381 <eref target="https://nvd.nist.gov/vuln/detail/CVE-2017-0381"/>.
CVE- 2013-0899 theoretically could have caused an information leak. The leaked
information would have gone through the decoder process before being accessible
to the attacker. It is fixed by <xref target="padding"/>.
CVE-2017-0381 could have resulted in a 16-bit out-of-bounds read from a fixed
location. It is fixed in <xref target="lsf_overflow"/>.
Beyond the two fixed CVEs, this document adds no new security considerations on top of
<xref target="RFC6716">RFC 6716</xref>.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
<t>Note to RFC Editor: this section may be removed on publication as an
RFC.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>We would like to thank Juri Aedla for reporting the issue with the parsing of
the Opus padding. Thanks to Felicia Lim for reporting the LSF integer overflow issue.
Also, thanks to Tina le Grand, Jonathan Lennox, and Mark Harris for their
feedback on this document.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
<?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.6716.xml"?>
</references>
</back>
</rfc>
|
