1<?xml version="1.0" encoding="US-ASCII"?> 2<!DOCTYPE rfc SYSTEM "rfc2629.dtd"> 3<?rfc toc="yes"?> 4<?rfc tocompact="yes"?> 5<?rfc tocdepth="3"?> 6<?rfc tocindent="yes"?> 7<?rfc symrefs="yes"?> 8<?rfc sortrefs="yes"?> 9<?rfc comments="yes"?> 10<?rfc inline="yes"?> 11<?rfc compact="yes"?> 12<?rfc subcompact="no"?> 13<rfc category="std" docName="draft-ietf-codec-opus-update-10" 14 ipr="trust200902" updates="6716"> 15 <front> 16 <title abbrev="Opus Update">Updates to the Opus Audio Codec</title> 17 18<author initials="JM" surname="Valin" fullname="Jean-Marc Valin"> 19<organization>Mozilla Corporation</organization> 20<address> 21<postal> 22<street>331 E. Evelyn Avenue</street> 23<city>Mountain View</city> 24<region>CA</region> 25<code>94041</code> 26<country>USA</country> 27</postal> 28<phone>+1 650 903-0800</phone> 29<email>jmvalin@jmvalin.ca</email> 30</address> 31</author> 32 33<author initials="K." surname="Vos" fullname="Koen Vos"> 34<organization>vocTone</organization> 35<address> 36<postal> 37<street></street> 38<city></city> 39<region></region> 40<code></code> 41<country></country> 42</postal> 43<phone></phone> 44<email>koenvos74@gmail.com</email> 45</address> 46</author> 47 48 49 50 <date day="24" month="August" year="2017" /> 51 52 <abstract> 53 <t>This document addresses minor issues that were found in the specification 54 of the Opus audio codec in RFC 6716. It updates the normative decoder implementation 55 included in the appendix of RFC 6716. The changes fixes real and potential security-related 56 issues, as well minor quality-related issues.</t> 57 </abstract> 58 </front> 59 60 <middle> 61 <section title="Introduction"> 62 <t>This document addresses minor issues that were discovered in the reference 63 implementation of the Opus codec. Unlike most IETF specifications, Opus is defined 64 in <xref target="RFC6716">RFC 6716</xref> in terms of a normative reference 65 decoder implementation rather than from the associated text description. 66 That RFC includes the reference decoder implementation as Appendix A. 67 That's why only issues affecting the decoder are 68 listed here. An up-to-date implementation of the Opus encoder can be found at 69 <eref target="https://opus-codec.org/"/>.</t> 70 <t> 71 Some of the changes in this document update normative behaviour in a way that requires 72 new test vectors. The English text of the specification is unaffected, only 73 the C implementation is. The updated specification remains fully compatible with 74 the original specification. 75 </t> 76 77 <t> 78 Note: due to RFC formatting conventions, lines exceeding the column width 79 in the patch are split using a backslash character. The backslashes 80 at the end of a line and the white space at the beginning 81 of the following line are not part of the patch. A properly formatted patch 82 including all changes is available at 83 <eref target="https://www.ietf.org/proceedings/98/slides/materials-98-codec-opus-update-00.patch"/> 84 and has a SHA-1 hash of 029e3aa88fc342c91e67a21e7bfbc9458661cd5f. 85 </t> 86 87 </section> 88 89 <section title="Terminology"> 90 <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in <xref 93 target="RFC2119">RFC 2119</xref>.</t> 94 </section> 95 96 <section title="Stereo State Reset in SILK"> 97 <t>The reference implementation does not reinitialize the stereo state 98 during a mode switch. The old stereo memory can produce a brief impulse 99 (i.e. single sample) in the decoded audio. This can be fixed by changing 100 silk/dec_API.c at line 72: 101 </t> 102<figure> 103<artwork><![CDATA[ 104<CODE BEGINS> 105 for( n = 0; n < DECODER_NUM_CHANNELS; n++ ) { 106 ret = silk_init_decoder( &channel_state[ n ] ); 107 } 108+ silk_memset(&((silk_decoder *)decState)->sStereo, 0, 109+ sizeof(((silk_decoder *)decState)->sStereo)); 110+ /* Not strictly needed, but it's cleaner that way */ 111+ ((silk_decoder *)decState)->prev_decode_only_middle = 0; 112 113 return ret; 114 } 115<CODE ENDS> 116]]></artwork> 117</figure> 118 <t> 119 This change affects the normative output of the decoder, but the 120 amount of change is within the tolerance and too small to make the testvector check fail. 121 </t> 122 </section> 123 124 <section anchor="padding" title="Parsing of the Opus Packet Padding"> 125 <t>It was discovered that some invalid packets of very large size could trigger 126 an out-of-bounds read in the Opus packet parsing code responsible for padding. 127 This is due to an integer overflow if the signaled padding exceeds 2^31-1 bytes 128 (the actual packet may be smaller). The code can be fixed by decrementing the 129 (signed) len value, instead of incrementing a separate padding counter. 130 This is done by applying the following changes at line 596 of src/opus_decoder.c: 131 </t> 132<figure> 133<artwork><![CDATA[ 134<CODE BEGINS> 135 /* Padding flag is bit 6 */ 136 if (ch&0x40) 137 { 138- int padding=0; 139 int p; 140 do { 141 if (len<=0) 142 return OPUS_INVALID_PACKET; 143 p = *data++; 144 len--; 145- padding += p==255 ? 254: p; 146+ len -= p==255 ? 254: p; 147 } while (p==255); 148- len -= padding; 149 } 150<CODE ENDS> 151]]></artwork> 152</figure> 153 <t>This packet parsing issue is limited to reading memory up 154 to about 60 kB beyond the compressed buffer. This can only be triggered 155 by a compressed packet more than about 16 MB long, so it's not a problem 156 for RTP. In theory, it could crash a file 157 decoder (e.g. Opus in Ogg) if the memory just after the incoming packet 158 is out-of-range, but our attempts to trigger such a crash in a production 159 application built using an affected version of the Opus decoder failed.</t> 160 </section> 161 162 <section anchor="resampler" title="Resampler buffer"> 163 <t>The SILK resampler had the following issues: 164 <list style="numbers"> 165 <t>The calls to memcpy() were using sizeof(opus_int32), but the type of the 166 local buffer was opus_int16.</t> 167 <t>Because the size was wrong, this potentially allowed the source 168 and destination regions of the memcpy() to overlap on the copy from "buf" to "buf". 169 We believe that nSamplesIn (number of input samples) is at least fs_in_khZ (sampling rate in kHz), 170 which is at least 8. 171 Since RESAMPLER_ORDER_FIR_12 is only 8, that should not be a problem once 172 the type size is fixed.</t> 173 <t>The size of the buffer used RESAMPLER_MAX_BATCH_SIZE_IN, but the 174 data stored in it was actually twice the input batch size 175 (nSamplesIn<<1).</t> 176 </list></t> 177 <t>The code can be fixed by applying the following changes to line 78 of silk/resampler_private_IIR_FIR.c: 178 </t> 179<figure> 180<artwork><![CDATA[ 181<CODE BEGINS> 182 ) 183 { 184 silk_resampler_state_struct *S = \ 185(silk_resampler_state_struct *)SS; 186 opus_int32 nSamplesIn; 187 opus_int32 max_index_Q16, index_increment_Q16; 188- opus_int16 buf[ RESAMPLER_MAX_BATCH_SIZE_IN + \ 189RESAMPLER_ORDER_FIR_12 ]; 190+ opus_int16 buf[ 2*RESAMPLER_MAX_BATCH_SIZE_IN + \ 191RESAMPLER_ORDER_FIR_12 ]; 192 193 /* Copy buffered samples to start of buffer */ 194- silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \ 195* sizeof( opus_int32 ) ); 196+ silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \ 197* sizeof( opus_int16 ) ); 198 199 /* Iterate over blocks of frameSizeIn input samples */ 200 index_increment_Q16 = S->invRatio_Q16; 201 while( 1 ) { 202 nSamplesIn = silk_min( inLen, S->batchSize ); 203 204 /* Upsample 2x */ 205 silk_resampler_private_up2_HQ( S->sIIR, &buf[ \ 206RESAMPLER_ORDER_FIR_12 ], in, nSamplesIn ); 207 208 max_index_Q16 = silk_LSHIFT32( nSamplesIn, 16 + 1 \ 209); /* + 1 because 2x upsampling */ 210 out = silk_resampler_private_IIR_FIR_INTERPOL( out, \ 211buf, max_index_Q16, index_increment_Q16 ); 212 in += nSamplesIn; 213 inLen -= nSamplesIn; 214 215 if( inLen > 0 ) { 216 /* More iterations to do; copy last part of \ 217filtered signal to beginning of buffer */ 218- silk_memcpy( buf, &buf[ nSamplesIn << 1 ], \ 219RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) ); 220+ silk_memmove( buf, &buf[ nSamplesIn << 1 ], \ 221RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) ); 222 } else { 223 break; 224 } 225 } 226 227 /* Copy last part of filtered signal to the state for \ 228the next call */ 229- silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \ 230RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) ); 231+ silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \ 232RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) ); 233 } 234<CODE ENDS> 235]]></artwork> 236</figure> 237 </section> 238 239 <section title="Integer wrap-around in inverse gain computation"> 240 <t> 241 It was discovered through decoder fuzzing that some bitstreams could produce 242 integer values exceeding 32-bits in LPC_inverse_pred_gain_QA(), causing 243 a wrap-around. The C standard considers 244 this behavior as undefined. The following patch to line 87 of silk/LPC_inv_pred_gain.c 245 detects values that do not fit in a 32-bit integer and considers the corresponding filters unstable: 246 </t> 247<figure> 248<artwork><![CDATA[ 249<CODE BEGINS> 250 /* Update AR coefficient */ 251 for( n = 0; n < k; n++ ) { 252- tmp_QA = Aold_QA[ n ] - MUL32_FRAC_Q( \ 253Aold_QA[ k - n - 1 ], rc_Q31, 31 ); 254- Anew_QA[ n ] = MUL32_FRAC_Q( tmp_QA, rc_mult2 , mult2Q ); 255+ opus_int64 tmp64; 256+ tmp_QA = silk_SUB_SAT32( Aold_QA[ n ], MUL32_FRAC_Q( \ 257Aold_QA[ k - n - 1 ], rc_Q31, 31 ) ); 258+ tmp64 = silk_RSHIFT_ROUND64( silk_SMULL( tmp_QA, \ 259rc_mult2 ), mult2Q); 260+ if( tmp64 > silk_int32_MAX || tmp64 < silk_int32_MIN ) { 261+ return 0; 262+ } 263+ Anew_QA[ n ] = ( opus_int32 )tmp64; 264 } 265<CODE ENDS> 266]]></artwork> 267</figure> 268 </section> 269 270 <section title="Integer wrap-around in LSF decoding" anchor="lsf_overflow"> 271 <t> 272 It was discovered -- also from decoder fuzzing -- that an integer wrap-around could 273 occur when decoding bitstreams with extremely large values for the high LSF parameters. 274 The end result of the wrap-around is an illegal read access on the stack, which 275 the authors do not believe is exploitable but should nonetheless be fixed. The following 276 patch to line 137 of silk/NLSF_stabilize.c prevents the problem: 277 </t> 278<figure> 279<artwork><![CDATA[ 280<CODE BEGINS> 281 /* Keep delta_min distance between the NLSFs */ 282 for( i = 1; i < L; i++ ) 283- NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \ 284NLSF_Q15[i-1] + NDeltaMin_Q15[i] ); 285+ NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \ 286silk_ADD_SAT16( NLSF_Q15[i-1], NDeltaMin_Q15[i] ) ); 287 288 /* Last NLSF should be no higher than 1 - NDeltaMin[L] */ 289<CODE ENDS> 290]]></artwork> 291</figure> 292 293 </section> 294 295 <section title="Cap on Band Energy"> 296 <t>On extreme bit-streams, it is possible for log-domain band energy levels 297 to exceed the maximum single-precision floating point value once converted 298 to a linear scale. This would later cause the decoded values to be NaN (not a number), 299 possibly causing problems in the software using the PCM values. This can be 300 avoided with the following patch to line 552 of celt/quant_bands.c: 301 </t> 302<figure> 303<artwork><![CDATA[ 304<CODE BEGINS> 305 { 306 opus_val16 lg = ADD16(oldEBands[i+c*m->nbEBands], 307 SHL16((opus_val16)eMeans[i],6)); 308+ lg = MIN32(QCONST32(32.f, 16), lg); 309 eBands[i+c*m->nbEBands] = PSHR32(celt_exp2(lg),4); 310 } 311 for (;i<m->nbEBands;i++) 312<CODE ENDS> 313]]></artwork> 314</figure> 315 </section> 316 317 <section title="Hybrid Folding" anchor="folding"> 318 <t>When encoding in hybrid mode at low bitrate, we sometimes only have 319 enough bits to code a single CELT band (8 - 9.6 kHz). When that happens, 320 the second band (CELT band 18, from 9.6 to 12 kHz) cannot use folding 321 because it is wider than the amount already coded, and falls back to 322 white noise. Because it can also happen on transients (e.g. stops), it 323 can cause audible pre-echo. 324 </t> 325 <t> 326 To address the issue, we change the folding behavior so that it is 327 never forced to fall back to LCG due to the first band not containing 328 enough coefficients to fold onto the second band. This 329 is achieved by simply repeating part of the first band in the folding 330 of the second band. This changes the code in celt/bands.c around line 1237: 331 </t> 332<figure> 333<artwork><![CDATA[ 334<CODE BEGINS> 335 b = 0; 336 } 337 338- if (resynth && M*eBands[i]-N >= M*eBands[start] && \ 339(update_lowband || lowband_offset==0)) 340+ if (resynth && (M*eBands[i]-N >= M*eBands[start] || \ 341i==start+1) && (update_lowband || lowband_offset==0)) 342 lowband_offset = i; 343 344+ if (i == start+1) 345+ { 346+ int n1, n2; 347+ int offset; 348+ n1 = M*(eBands[start+1]-eBands[start]); 349+ n2 = M*(eBands[start+2]-eBands[start+1]); 350+ offset = M*eBands[start]; 351+ /* Duplicate enough of the first band folding data to \ 352be able to fold the second band. 353+ Copies no data for CELT-only mode. */ 354+ OPUS_COPY(&norm[offset+n1], &norm[offset+2*n1 - n2], n2-n1); 355+ if (C==2) 356+ OPUS_COPY(&norm2[offset+n1], &norm2[offset+2*n1 - n2], \ 357n2-n1); 358+ } 359+ 360 tf_change = tf_res[i]; 361 if (i>=m->effEBands) 362 { 363<CODE ENDS> 364]]></artwork> 365</figure> 366 367 <t> 368 as well as line 1260: 369 </t> 370 371<figure> 372<artwork><![CDATA[ 373<CODE BEGINS> 374 fold_start = lowband_offset; 375 while(M*eBands[--fold_start] > effective_lowband); 376 fold_end = lowband_offset-1; 377- while(M*eBands[++fold_end] < effective_lowband+N); 378+ while(++fold_end < i && M*eBands[fold_end] < \ 379effective_lowband+N); 380 x_cm = y_cm = 0; 381 fold_i = fold_start; do { 382 x_cm |= collapse_masks[fold_i*C+0]; 383 384<CODE ENDS> 385]]></artwork> 386</figure> 387 <t> 388 The fix does not impact compatibility, because the improvement does 389 not depend on the encoder doing anything special. There is also no 390 reasonable way for an encoder to use the original behavior to 391 improve quality over the proposed change. 392 </t> 393 </section> 394 395 <section title="Downmix to Mono" anchor="stereo"> 396 <t>The last issue is not strictly a bug, but it is an issue that has been reported 397 when downmixing an Opus decoded stream to mono, whether this is done inside the decoder 398 or as a post-processing step on the stereo decoder output. Opus intensity stereo allows 399 optionally coding the two channels 180-degrees out of phase on a per-band basis. 400 This provides better stereo quality than forcing the two channels to be in phase, 401 but when the output is downmixed to mono, the energy in the affected bands is cancelled 402 sometimes resulting in audible artifacts. 403 </t> 404 <t>As a work-around for this issue, the decoder MAY choose not to apply the 180-degree 405 phase shift. This can be useful when downmixing to mono inside or 406 outside of the decoder (e.g. user-controllable). 407 </t> 408 </section> 409 410 411 <section title="New Test Vectors"> 412 <t>Changes in <xref target="folding"/> and <xref target="stereo"/> have 413 sufficient impact on the testvectors to make them fail. For this reason, 414 this document also updates the Opus test vectors. The new test vectors now 415 include two decoded outputs for the same bitstream. The outputs with 416 suffix 'm' do not apply the CELT 180-degree phase shift as allowed in 417 <xref target="stereo"/>, while the outputs without the suffix do. An 418 implementation is compliant as long as it passes either set of vectors. 419 </t> 420 <t> 421 Any Opus implementation 422 that passes either the original test vectors from <xref target="RFC6716">RFC 6716</xref> 423 or one of the new sets of test vectors is compliant with the Opus specification. However, newer implementations 424 SHOULD be based on the new test vectors rather than the old ones. 425 </t> 426 <t>The new test vectors are located at 427 <eref target="https://www.ietf.org/proceedings/98/slides/materials-98-codec-opus-newvectors-00.tar.gz"/>. 428 The SHA-1 hashes of the test vectors are: 429<figure> 430<artwork> 431<![CDATA[ 432e49b2862ceec7324790ed8019eb9744596d5be01 testvector01.bit 433b809795ae1bcd606049d76de4ad24236257135e0 testvector02.bit 434e0c4ecaeab44d35a2f5b6575cd996848e5ee2acc testvector03.bit 435a0f870cbe14ebb71fa9066ef3ee96e59c9a75187 testvector04.bit 4369b3d92b48b965dfe9edf7b8a85edd4309f8cf7c8 testvector05.bit 43728e66769ab17e17f72875283c14b19690cbc4e57 testvector06.bit 438bacf467be3215fc7ec288f29e2477de1192947a6 testvector07.bit 439ddbe08b688bbf934071f3893cd0030ce48dba12f testvector08.bit 4403932d9d61944dab1201645b8eeaad595d5705ecb testvector09.bit 441521eb2a1e0cc9c31b8b740673307c2d3b10c1900 testvector10.bit 4426bc8f3146fcb96450c901b16c3d464ccdf4d5d96 testvector11.bit 443338c3f1b4b97226bc60bc41038becbc6de06b28f testvector12.bit 444f5ef93884da6a814d311027918e9afc6f2e5c2c8 testvector01.dec 44548ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02.dec 446d15567e919db2d0e818727092c0af8dd9df23c95 testvector03.dec 4471249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04.dec 448b85675d81deef84a112c466cdff3b7aaa1d2fc76 testvector05.dec 44955f0b191e90bfa6f98b50d01a64b44255cb4813e testvector06.dec 45061e8b357ab090b1801eeb578a28a6ae935e25b7b testvector07.dec 451a58539ee5321453b2ddf4c0f2500e856b3966862 testvector08.dec 452bb96aad2cde188555862b7bbb3af6133851ef8f4 testvector09.dec 4531b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10.dec 454b1fff72b74666e3027801b29dbc48b31f80dee0d testvector11.dec 45598e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12.dec 4561e7d984ea3fbb16ba998aea761f4893fbdb30157 testvector01m.dec 45748ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02m.dec 458d15567e919db2d0e818727092c0af8dd9df23c95 testvector03m.dec 4591249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04m.dec 460d70b0bad431e7d463bc3da49bd2d49f1c6d0a530 testvector05m.dec 4616ac1648c3174c95fada565161a6c78bdbe59c77d testvector06m.dec 462fc5e2f709693738324fb4c8bdc0dad6dda04e713 testvector07m.dec 463aad2ba397bf1b6a18e8e09b50e4b19627d479f00 testvector08m.dec 4646feb7a7b9d7cdc1383baf8d5739e2a514bd0ba08 testvector09m.dec 4651b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10m.dec 466fd3d3a7b0dfbdab98d37ed9aa04b659b9fefbd18 testvector11m.dec 46798e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12m.dec 468]]> 469</artwork> 470</figure> 471 Note that the decoder input bitstream files (.bit) are unchanged. 472 </t> 473 </section> 474 475 <section anchor="security" title="Security Considerations"> 476 <t>This document fixes two security issues reported on Opus and that affect the 477 reference implementation in <xref target="RFC6716">RFC 6716</xref>: CVE-2013-0899 478 <eref target="https://nvd.nist.gov/vuln/detail/CVE-2013-0899"/> 479 and CVE-2017-0381 <eref target="https://nvd.nist.gov/vuln/detail/CVE-2017-0381"/>. 480 CVE- 2013-0899 theoretically could have caused an information leak. The leaked 481 information would have gone through the decoder process before being accessible 482 to the attacker. It is fixed by <xref target="padding"/>. 483 CVE-2017-0381 could have resulted in a 16-bit out-of-bounds read from a fixed 484 location. It is fixed in <xref target="lsf_overflow"/>. 485 Beyond the two fixed CVEs, this document adds no new security considerations on top of 486 <xref target="RFC6716">RFC 6716</xref>. 487 </t> 488 </section> 489 490 <section anchor="IANA" title="IANA Considerations"> 491 <t>This document makes no request of IANA.</t> 492 493 <t>Note to RFC Editor: this section may be removed on publication as an 494 RFC.</t> 495 </section> 496 497 <section anchor="Acknowledgements" title="Acknowledgements"> 498 <t>We would like to thank Juri Aedla for reporting the issue with the parsing of 499 the Opus padding. Thanks to Felicia Lim for reporting the LSF integer overflow issue. 500 Also, thanks to Tina le Grand, Jonathan Lennox, and Mark Harris for their 501 feedback on this document.</t> 502 </section> 503 </middle> 504 505 <back> 506 <references title="Normative References"> 507 <?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?> 508 <?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.6716.xml"?> 509 510 511 </references> 512 </back> 513</rfc> 514