osce: Clamp pitch embedding index to prevent OOB read

matejsmycka · claude · matejsmycka · commit 031c1e0f3759 · 2026-03-22T21:03:07.000+01:00
The LACE and NoLACE feature networks access the pitch embedding table
using periods[i_subframe] as a direct index without bounds checking.
SILK's decode_pitch() clamps pitch lags to [min_lag, max_lag] where
max_lag = PE_MAX_LAG_MS * Fs_kHz = 288 at 16kHz. If a model is trained
with pitch_max &lt; 288 (the Python training defaults use pitch_max=257),
pitch lag values in the range [pitch_max+1, 288] would read past the
end of the embedding weight table.

Add IMIN/IMAX clamping to bound the pitch index to [0, *_PITCH_MAX]
before the embedding lookup, consistent with how FARGAN handles pitch
embedding access in fargan.c:53.

The current shipped model (v1.6.1) uses pitch_max=300 which covers the
full SILK pitch range, but the C code should defensively clamp regardless
of model parameters.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/dnn/osce.c b/dnn/osce.c
@@ -183,8 +183,9 @@ static void lace_feature_net(
     /* scaling and dimensionality reduction */
     for (i_subframe = 0; i_subframe < 4; i_subframe ++)
     {
+        int pitch_index = IMAX(0, IMIN(periods[i_subframe], LACE_PITCH_MAX));
         OPUS_COPY(input_buffer, features + i_subframe * LACE_NUM_FEATURES, LACE_NUM_FEATURES);
-        OPUS_COPY(input_buffer + LACE_NUM_FEATURES, hLACE->layers.lace_pitch_embedding.float_weights + periods[i_subframe] * LACE_PITCH_EMBEDDING_DIM, LACE_PITCH_EMBEDDING_DIM);
+        OPUS_COPY(input_buffer + LACE_NUM_FEATURES, hLACE->layers.lace_pitch_embedding.float_weights + pitch_index * LACE_PITCH_EMBEDDING_DIM, LACE_PITCH_EMBEDDING_DIM);
         OPUS_COPY(input_buffer + LACE_NUM_FEATURES + LACE_PITCH_EMBEDDING_DIM, numbits_embedded, 2 * LACE_NUMBITS_EMBEDDING_DIM);
 
         compute_generic_conv1d(
@@ -454,8 +455,9 @@ static void nolace_feature_net(
     /* scaling and dimensionality reduction */
     for (i_subframe = 0; i_subframe < 4; i_subframe ++)
     {
+        int pitch_index = IMAX(0, IMIN(periods[i_subframe], NOLACE_PITCH_MAX));
         OPUS_COPY(input_buffer, features + i_subframe * NOLACE_NUM_FEATURES, NOLACE_NUM_FEATURES);
-        OPUS_COPY(input_buffer + NOLACE_NUM_FEATURES, hNoLACE->layers.nolace_pitch_embedding.float_weights + periods[i_subframe] * NOLACE_PITCH_EMBEDDING_DIM, NOLACE_PITCH_EMBEDDING_DIM);
+        OPUS_COPY(input_buffer + NOLACE_NUM_FEATURES, hNoLACE->layers.nolace_pitch_embedding.float_weights + pitch_index * NOLACE_PITCH_EMBEDDING_DIM, NOLACE_PITCH_EMBEDDING_DIM);
         OPUS_COPY(input_buffer + NOLACE_NUM_FEATURES + NOLACE_PITCH_EMBEDDING_DIM, numbits_embedded, 2 * NOLACE_NUMBITS_EMBEDDING_DIM);
 
         compute_generic_conv1d(
