libvorbis-1.2.3 may access out of static array in 'make check'.
Target version is 1.2.3. In 'make check', vorbis_encode_compand_setup() accesses _psy_compand_8_mapping[] with index 3, but whoes array length is 3.
This bug was found using Fail-Safe C. (https://staff.aist.go.jp/y.oiwa/FailSafeC/index-en.html)
$ uname -a
Linux hardy2-gp01 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
$ gcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
$ CFLAGS='-g -fno-inline' ./configure --disable-shared && make
(snip)
$ gdb test/test
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b vorbis_encode_compand_setup
Breakpoint 1 at 0x80499fb: file vorbisenc.c, line 373.
(gdb) run
Starting program: /home/katayama/work/libvorbis-1.2.3/test/test
vorbis_44100.ogg :
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=0, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=1, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=2, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=3, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
ok
vorbis_48000.ogg :
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=0, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=1, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=2, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=3, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
ok
vorbis_32000.ogg :
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=0, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=1, in=0x8066560, x=0x8066920)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=2, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=9.0000011192092888, block=3, in=0x8066560, x=0x8066980)
at vorbisenc.c:373
373 const double *x){
(gdb) c
Continuing.
ok
vorbis_22050.ogg :
Breakpoint 1, vorbis_encode_compand_setup (vi=0xbfa14930, s=2.6000002238418576, block=0, in=0x806bc00, x=0x806bd40)
at vorbisenc.c:373
373 const double *x){
(gdb) n
374 int i,is=s;
(gdb) n
373 const double *x){
(gdb) n
374 int i,is=s;
(gdb) n
375 double ds=s-is;
(gdb) n
377 vorbis_info_psy *p=ci->psy_param[block];
(gdb) n
375 double ds=s-is;
(gdb) n
377 vorbis_info_psy *p=ci->psy_param[block];
(gdb) n
379 ds=x[is]*(1.-ds)+x[is+1]*ds;
(gdb) p is+1
$1 = 3
(gdb) p x
$2 = (const double *) 0x806bd40
(gdb) p &_psy_compand_8_mapping
$3 = (double (*)[3]) 0x806bd40
(gdb) p _psy_compand_8_mapping
$4 = {0, 1, 1}
(gdb)