Potential Division-by-Zero and Memory Allocation Error

[spearo2]

Dear authors,
It seems that there exists potential division by zero error in vector_quantize function in src/programs/cdcn_train/vq.c in line 284.

sphinxtrain/src/programs/cdcn_train/vq.c

Lines 280 to 284 in 811dfbf

	Update_codebook(bin, vector, Nvecs, codes, Ncodes, Ndim);
	distortion =
	Distortion_and_cluster(bin, vector, Nvecs, codes,
	Ncodes, Ndim);
	improvement = (prevdist - distortion) / distortion;

When an arbitrary input comes from

sphinxtrain/src/programs/cdcn_train/main.c

Line 97 in 811dfbf

corpus_get_generic_featurevec(&buff, &length, Ndim);

Distortion_and_cluster function can return 0

sphinxtrain/src/programs/cdcn_train/vq.c

Lines 171 to 187 in 811dfbf

	distortion = 0;
	for (i = 0; i < Nvecs; ++i) {
	mindist = 1.0e+32;
	nearest = 0;
	mindist =
	prune_distance(vector[i], codes[0], Ndim, mindist);
	for (j = 1; j < Ncodes; ++j) {
	codedist =
	prune_distance(vector[i], codes[j], Ndim,
	mindist);
	if (codedist < mindist) {
	mindist = codedist;
	nearest = j;
	}
	}
	bins[i] = nearest;
	distortion += mindist;

sphinxtrain/src/programs/cdcn_train/vq.c

Lines 81 to 89 in 811dfbf

	t = *x++ - *y++;
	dist = t * t;
	for (i = 1; i < Ndim; ++i) {
	t = *x++ - *y++;
	dist += t * t;
	if (dist > mindist)
	break;
	}
	return (dist);

The scenarios could be when input is homogeneous or when the number of codewords matches unique vectors.

A simple possible patch would be

+    if (! distortion) {
+      printf("division by zero: ...");
+      exit(...);
+    }
284    improvement = (prevdist - distortion) / distortion;

---

Also, there exists a potential memory allocation error causing the program to crash
at function areadfloat_part in sphinxtrain/src/libs/libio/s3io.c

When an arbitrary value r_len is given as an argument withsizeof(float) to calloc, it can return NULL

sphinxtrain/src/libs/libio/s3io.c

Line 600 in 811dfbf

r_buf = calloc(r_len, sizeof(float));

When an arbitrary value for cur_ctl_sf comes from

sphinxtrain/src/libs/libsphinxbase/util/pio.c

Line 331 in 811dfbf

if (fgets(li->buf + li->len, li->bsiz - li->len, li->fh) == NULL) {

sphinxtrain/src/libs/libio/corpus.c

Lines 320 to 328 in 811dfbf

	li = lineiter_start_clean(ctl_fp);
	if (li == NULL) {
	E_ERROR("Must be at least one line in the control file\n");
	return S3_ERROR;
	}
	parse_ctl_line(li->buf,
	&next_ctl_path,

sphinxtrain/src/libs/libio/corpus.c

Line 1080 in 811dfbf

cur_ctl_path = next_ctl_path;

The following trace can cause the program to crash

sphinxtrain/src/libs/libio/corpus.c

Lines 1319 to 1322 in 811dfbf

	ret = areadfloat_part(mk_filename(DATA_TYPE_MFCC, cur_ctl_path),
	cur_ctl_sf * veclen,
	(cur_ctl_ef + 1) * veclen - 1,
	cptr, (int *)&n_c);

sphinxtrain/src/libs/libio/s3io.c

Line 590 in 811dfbf

r_len = e_coeff - s_coeff + 1;

sphinxtrain/src/libs/libio/s3io.c

Line 600 in 811dfbf

r_buf = calloc(r_len, sizeof(float));

sphinxtrain/src/libs/libio/s3io.c

Line 601 in 811dfbf

if (fread(r_buf, sizeof(float), r_len, fp) != r_len) {

A simple possible patch would be

600  r_buf = calloc(r_len, sizeof(float)); 
+       if (r_len > INT_MAX / sizeof(float)) {
+           return -1;
+       }

---

These error was discovered by static analysis results

[mbait]

Thank you for your report. Divising by zero is not a thing for floating-point computations, as in the worst case you'll get Inf which means you fed some garbage to the func. As for the second part of the issue - if calloc() failed then you're out of memory and even if you catch that error, the program will crash soon anyways as the graceful shutdown hasn't been implemented in CMUSphinx in general. You're, however, are welcome to make a patch.