From: Joseph Sellers <redacted>
Date: Sat, 6 Dec 2025 11:28:32 +0000 (+0000)
Subject: vad : fix buffer overflow in sample reduction loop (#3558)
X-Git-Tag: upstream/1.8.3~282
X-Git-Url: https://git.djapps.eu/?a=commitdiff_plain;h=a88b93f85f08fc6045e5d8a8c3f94b7be0ac8bce;p=pkg%2Fggml%2Fsources%2Fwhisper.cpp

vad : fix buffer overflow in sample reduction loop (#3558)

The buffer size calculation loop (line ~6661) uses `n_samples - 1` as
the upper bound for segment_end_samples, but the copy loop (line 6696)
uses `n_samples`. This inconsistency allows the copy loop to compute
segment_length values up to 1 sample larger per segment than what was
allocated, causing heap corruption.

Symptom: `malloc(): corrupted top size` or `malloc(): invalid size
(unsorted)` crashes after VAD completes sample reduction.

Fix: Use consistent bounds (`n_samples - 1`) in both loops.

Fixes #3403
---

diff --git a/src/whisper.cpp b/src/whisper.cpp
index f6793cb2..b6581f2b 100644
--- a/src/whisper.cpp
+++ b/src/whisper.cpp
@@ -6693,7 +6693,7 @@ static bool whisper_vad(
             }
 
             segment_start_samples = std::min(segment_start_samples, n_samples - 1);
-            segment_end_samples = std::min(segment_end_samples, n_samples);
+            segment_end_samples = std::min(segment_end_samples, n_samples - 1);
             int segment_length = segment_end_samples - segment_start_samples;
             if (segment_length > 0) {
                 whisper_state::vad_segment_info segment;