whisper.cpp icon indicating copy to clipboard operation
whisper.cpp copied to clipboard
verified publisher icon ggerganov

Invalid free in read_audio_data of whisper-cli

Open oneafter opened this issue 3 months ago • 0 comments

Summary

When using whisper-cli to read audio files, AddressSanitizer reports an attempt to free memory that was not allocated on the heap. The invalid free occurs inside read_audio_data when ma_decoder_init_file is used, leading to a crash.

Environment

  • OS: Linux x86_64
  • Complier: Clang with -fsanitize=address
  • Tools: AddressSanitizer

Reproduce

export LD_LIBRARY_PATH=/whisper.cpp/install/lib
./install/bin/whisper-cli -m ./models/for-tests-ggml-tiny.bin -f ./repro

Download Link: repro

Asan report

whisper_init_from_file_with_params_no_state: loading model from './models/for-tests-ggml-tiny.bin'
whisper_init_with_params_no_state: use gpu    = 1
whisper_init_with_params_no_state: flash attn = 1
whisper_init_with_params_no_state: gpu_device = 0
whisper_init_with_params_no_state: dtw        = 0
whisper_init_with_params_no_state: devices    = 1
whisper_init_with_params_no_state: backends   = 1
whisper_model_load: loading model
whisper_model_load: n_vocab       = 51865
whisper_model_load: n_audio_ctx   = 1500
whisper_model_load: n_audio_state = 384
whisper_model_load: n_audio_head  = 6
whisper_model_load: n_audio_layer = 4
whisper_model_load: n_text_ctx    = 448
whisper_model_load: n_text_state  = 384
whisper_model_load: n_text_head   = 6
whisper_model_load: n_text_layer  = 4
whisper_model_load: n_mels        = 80
whisper_model_load: ftype         = 1
whisper_model_load: qntvr         = 0
whisper_model_load: type          = 1 (tiny)
whisper_model_load: adding 1608 extra tokens
whisper_model_load: n_langs       = 99
whisper_model_load:          CPU total size =    77.11 MB
whisper_model_load: model size    =    0.00 MB
whisper_model_load: WARN no tensors loaded from model file - assuming empty model for testing
whisper_backend_init_gpu: no GPU found
whisper_init_state: kv self size  =    3.15 MB
whisper_init_state: kv cross size =    9.44 MB
whisper_init_state: kv pad  size  =    2.36 MB
whisper_init_state: compute buffer (conv)   =   13.21 MB
whisper_init_state: compute buffer (encode) =   17.72 MB
whisper_init_state: compute buffer (cross)  =    3.89 MB
whisper_init_state: compute buffer (decode) =   95.91 MB
=================================================================
==32==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7f316360c1c8 in thread T0
    #0 0x5618e262aaf6 in __interceptor_free (/whisper.cpp/INS/bin/whisper-cli+0xdcaf6) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89)
    #1 0x5618e2833701 in ma_decoder_init_file /whisper.cpp/examples/miniaudio.h:65452:17
    #2 0x5618e289c84e in read_audio_data(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<float, std::allocator<float>>&, std::vector<std::vector<float, std::allocator<float>>, std::allocator<std::vector<float, std::allocator<float>>>>&, bool) /whisper.cpp/examples/common-whisper.cpp:75:25
    #3 0x5618e266ce21 in main /whisper.cpp/examples/cli/cli.cpp:1118:14
    #4 0x7f3165164d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #5 0x7f3165164e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #6 0x5618e2590f74 in _start (/whisper.cpp/INS/bin/whisper-cli+0x42f74) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89)

Address 0x7f316360c1c8 is located in stack of thread T0 at offset 456 in frame
    #0 0x5618e289c49f in read_audio_data(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<float, std::allocator<float>>&, std::vector<std::vector<float, std::allocator<float>>, std::allocator<std::vector<float, std::allocator<float>>>>&, bool) /whisper.cpp/examples/common-whisper.cpp:42

  This frame has 10 object(s):
    [32, 36) 'format.i.i'
    [48, 52) 'channels.i.i'
    [64, 68) 'sampleRate.i.i'
    [80, 88) 'internalLengthInPCMFrames.i'
    [112, 136) 'audio_data' (line 43)
    [176, 320) 'decoder_config' (line 46)
    [384, 936) 'decoder' (line 47) <== Memory access at offset 456 is inside this variable
    [1072, 1132) 'ref.tmp.sroa.8' (line 49)
    [1168, 2192) 'buf' (line 56)
    [2320, 2328) 'frames_read' (line 98)

SUMMARY: AddressSanitizer: bad-free (/whisper.cpp/INS/bin/whisper-cli+0xdcaf6) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89) in __interceptor_free
==32==ABORTING

oneafter avatar Nov 07 '25 06:11 oneafter