From 66c08f71f6ac519fb36f3d75b176e0f020d8f890 Mon Sep 17 00:00:00 2001
From: ganxiaolin <ganxiaolin@xiaomi.com>
Date: Thu, 21 Jan 2016 20:06:00 +0800
Subject: fix memset overflow of wcep_pI

In the sigAllocate, the allocation size is only sizeof(picoos_int32) * PICODSP_FFTSIZE.
It will cover next cell's header to 0, which usually is int_vec29. wcep_pI is int_vec28.
And that will cause crash in picoos_deallocate, because int_vec29's header is error.
In 32 bits machine, this problem don't appear because size is covered by 0.
And in 64 bits machine, the size is covered by 0x100000000, that cause segment fault.

Signed-off-by: ganxiaolin <ganxiaolin@xiaomi.com>
---
 pico/lib/picosig2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pico/lib/picosig2.c b/pico/lib/picosig2.c
index c2a69cc..c25cbe4 100644
--- a/pico/lib/picosig2.c
+++ b/pico/lib/picosig2.c
@@ -552,7 +552,7 @@ void mel_2_lin_lookup(sig_innerobj_t *sig_inObj, picoos_uint32 scmeanMGC)
     for (nI = 1; nI < m1; nI++) {
         XXr[nI] = c1[nI] << shift;
     }
-    i = sizeof(picoos_int32) * (PICODSP_FFTSIZE + 1 - m1);
+    i = sizeof(picoos_int32) * (PICODSP_FFTSIZE - m1);
     picoos_mem_set(XXr + m1, 0, i);
     dfct_nmf(m4, XXr); /* DFCT directly in fixed point */
 
-- 
cgit v1.2.3