From 95c61ac543c4662e51696eb9d57e4801ce1e396b Mon Sep 17 00:00:00 2001
From: Tristan Matthews <tmatth@videolan.org>
Date: Fri, 17 Jan 2025 12:21:30 -0500
Subject: [PATCH 1/2] arch: add EPSILON

This is like VERY_SMALL but non-zero for fixed-point (unlike VERY_SMALL).
---
 libspeex/arch.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libspeex/arch.h b/libspeex/arch.h
index 807469d..fe5ba9b 100644
--- a/libspeex/arch.h
+++ b/libspeex/arch.h
@@ -107,6 +107,7 @@ typedef spx_word32_t spx_sig_t;
 #define SIG_SHIFT    14
 #define GAIN_SHIFT   6
 
+#define EPSILON 1
 #define VERY_SMALL 0
 #define VERY_LARGE32 ((spx_word32_t)2147483647)
 #define VERY_LARGE16 ((spx_word16_t)32767)
@@ -148,6 +149,7 @@ typedef float spx_word32_t;
 #define GAIN_SCALING_1 1.f
 
 
+#define EPSILON 1e-15f
 #define VERY_SMALL 1e-15f
 #define VERY_LARGE32 1e15f
 #define VERY_LARGE16 1e15f
-- 
GitLab


From 724e14a6cdf28748bb07824e5e894bd200526222 Mon Sep 17 00:00:00 2001
From: Tristan Matthews <tmatth@videolan.org>
Date: Fri, 17 Jan 2025 12:22:00 -0500
Subject: [PATCH 2/2] sb_celp: avoid division by 0

Co-authored by: Jean-Marc Valin <jmvalin@jmvalin.ca>

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex

Fixes https://oss-fuzz.com/testcase-detail/6065027378905088
Fixes https://issues.oss-fuzz.com/issues/389329711
---
 libspeex/sb_celp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libspeex/sb_celp.c b/libspeex/sb_celp.c
index 61d5c27..2da8e48 100644
--- a/libspeex/sb_celp.c
+++ b/libspeex/sb_celp.c
@@ -866,7 +866,7 @@ int sb_encode(void *state, void *vin, SpeexBits *bits)
          if (st->subframeSize==80)
             gc = MULT16_16_P14(QCONST16(1.4142f,14), gc);
 
-         scale = SHL32(MULT16_16(PDIV32_16(SHL32(EXTEND32(gc),SIG_SHIFT-6),filter_ratio),(1+el)),6);
+         scale = SHL32(MULT16_16(PDIV32_16(SHL32(EXTEND32(gc),SIG_SHIFT-6),MAX16(EPSILON,filter_ratio)),(1+el)),6);
 
          compute_impulse_response(st->interp_qlpc, bw_lpc1, bw_lpc2, syn_resp, st->subframeSize, st->lpcSize, stack);
 
@@ -1370,7 +1370,8 @@ int sb_decode(void *state, SpeexBits *bits, void *vout)
          quant = speex_bits_unpack_unsigned(bits, 5);
          g= spx_exp(MULT16_16(QCONST16(.125f,11),(quant-10)));
 
-         g = PDIV32(g, filter_ratio);
+         /* Clamp to a minimum of epsilon to avoid division by 0 */
+         g = PDIV32(g, MAX16(EPSILON,filter_ratio));
 
          for (i=0;i<st->subframeSize;i+=2)
          {
@@ -1389,7 +1390,7 @@ int sb_decode(void *state, SpeexBits *bits, void *vout)
          if (st->subframeSize==80)
             gc = MULT16_16_P14(QCONST16(1.4142f,14),gc);
 
-         scale = SHL32(PDIV32(SHL32(MULT16_16(gc, el),3), filter_ratio),SIG_SHIFT-3);
+         scale = SHL32(PDIV32(SHL32(MULT16_16(gc, el),3), MAX16(EPSILON,filter_ratio)),SIG_SHIFT-3);
          SUBMODE(innovation_unquant)(exc, SUBMODE(innovation_params), st->subframeSize,
                                      bits, stack, &st->seed);
 
-- 
GitLab