Skip to content

Fix CY0 buffer overflow in beamformer working struct#91

Open
goyalpalak18 wants to merge 1 commit intoeembc:mainfrom
goyalpalak18:fix/abf-cy0-buffer-overflow
Open

Fix CY0 buffer overflow in beamformer working struct#91
goyalpalak18 wants to merge 1 commit intoeembc:mainfrom
goyalpalak18:fix/abf-cy0-buffer-overflow

Conversation

@goyalpalak18
Copy link

@goyalpalak18 goyalpalak18 commented Feb 8, 2026

Summary

Identified and fixed a buffer overflow in the CY0 scratch buffer.

The buffer was declared using the half-spectrum constant (NFFTD2), but the synthesis logic treats it as full-spectrum (NFFT). This resulted in writing 126 floats (504 bytes) past the end of the array during the IFFT and spectrum extension stages.

On the current ARM build, this overflow was overwriting the adjacent XY struct member. It did not trigger a crash solely due to the specific memory layout and the fact that XY was effectively unused at that point in the frame. This fix updates CY0 to the correct full-spectrum size to prevent the out-of-bounds writes.

The Bug

The CY0 buffer was declared with NFFTD2 (half-spectrum size), likely because it's used for some half-spectrum math early in the function.

However, later in the synthesis stage (specifically the complex IFFT), we treat CY0 as a full-spectrum buffer. We end up writing about 126 floats past the end of the array.

The Fix

I just bumped the size of CY0 to match the other full-spectrum buffers (mic, BM, etc).

// src/ee_abf_f32.h
- ee_f32_t CY0[NFFTD2 * COMPLEX + 2]; // Too small (130 floats)
+ ee_f32_t CY0[NFFT * COMPLEX + 2];   // Correct (258 floats)

@goyalpalak18
Fix CY0 buffer overflow in beamformer working struct
d8b48ac 
CY0 was declared as NFFTD2*COMPLEX+2 (130 floats) but is used
as a full-spectrum buffer for 128-point CFFT requiring 256 floats.

Signed-off-by: goyalpalak18 <goyalpalak1806@gmail.com>
@goyalpalak18
Copy link
Author

goyalpalak18 commented Feb 8, 2026

Hi @joseph-yiu @petertorelli,

This PR fixes a buffer overflow in the beamformer where CY0 was declared using NFFTD2 (half size) but used as NFFT (full size) in the synthesis loop. This was causing a 504-byte write past the end of the array.

I verified the fix with AddressSanitizer and confirmed that benchmark scores match the baseline.

I’d appreciate a review when you get a chance. Happy to make any changes if needed.

Thanks!

@joseph-yiu
Copy link
Contributor

joseph-yiu commented Feb 9, 2026

Thanks the for pull request. We will review.
regards,
Joseph

@joseph-yiu
Copy link
Contributor

joseph-yiu commented Feb 10, 2026

Bug confirmed and the code changes have been review. I merged the PR into dev_20261q1 branch.
regards,
Joseph

@goyalpalak18
Copy link
Author

goyalpalak18 commented Feb 11, 2026

@joseph-yiu ,thanks for confirming the bug and merging the fix into dev_20261q1 branch.

Since the changes are merged, should I close this PR now or will it be closed automatically when that branch is merged to main?

@joseph-yiu
Copy link
Contributor

joseph-yiu commented Feb 11, 2026

We can leave it open for now in case any reviewer have additional comments. We will close it when we merged it to the main.
Thanks and regards,
Joseph

@goyalpalak18
Copy link
Author

goyalpalak18 commented Feb 11, 2026

Understood, I'll leave it open. Thanks @joseph-yiu !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@goyalpalak18 @joseph-yiu

Comments