Invalid free in read_audio_data of whisper-cli #3501
Description
Summary
When using whisper-cli to read audio files, AddressSanitizer reports an attempt to free memory that was not allocated on the heap. The invalid free occurs inside read_audio_data when ma_decoder_init_file is used, leading to a crash.
Reproduce
https://github.com/oneafter/InvalidFree/blob/main/repro
export LD_LIBRARY_PATH=/whisper.cpp/install/lib
./install/bin/whisper-cli -m ./models/for-tests-ggml-tiny.bin -f ./repro
Asan report
whisper_init_from_file_with_params_no_state: loading model from './models/for-tests-ggml-tiny.bin'
whisper_init_with_params_no_state: use gpu = 1
whisper_init_with_params_no_state: flash attn = 1
whisper_init_with_params_no_state: gpu_device = 0
whisper_init_with_params_no_state: dtw = 0
whisper_init_with_params_no_state: devices = 1
whisper_init_with_params_no_state: backends = 1
whisper_model_load: loading model
whisper_model_load: n_vocab = 51865
whisper_model_load: n_audio_ctx = 1500
whisper_model_load: n_audio_state = 384
whisper_model_load: n_audio_head = 6
whisper_model_load: n_audio_layer = 4
whisper_model_load: n_text_ctx = 448
whisper_model_load: n_text_state = 384
whisper_model_load: n_text_head = 6
whisper_model_load: n_text_layer = 4
whisper_model_load: n_mels = 80
whisper_model_load: ftype = 1
whisper_model_load: qntvr = 0
whisper_model_load: type = 1 (tiny)
whisper_model_load: adding 1608 extra tokens
whisper_model_load: n_langs = 99
whisper_model_load: CPU total size = 77.11 MB
whisper_model_load: model size = 0.00 MB
whisper_model_load: WARN no tensors loaded from model file - assuming empty model for testing
whisper_backend_init_gpu: no GPU found
whisper_init_state: kv self size = 3.15 MB
whisper_init_state: kv cross size = 9.44 MB
whisper_init_state: kv pad size = 2.36 MB
whisper_init_state: compute buffer (conv) = 13.21 MB
whisper_init_state: compute buffer (encode) = 17.72 MB
whisper_init_state: compute buffer (cross) = 3.89 MB
whisper_init_state: compute buffer (decode) = 95.91 MB
=================================================================
==32==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7f316360c1c8 in thread T0
#0 0x5618e262aaf6 in __interceptor_free (/whisper.cpp/INS/bin/whisper-cli+0xdcaf6) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89)
#1 0x5618e2833701 in ma_decoder_init_file /whisper.cpp/examples/miniaudio.h:65452:17
#2 0x5618e289c84e in read_audio_data(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<float, std::allocator<float>>&, std::vector<std::vector<float, std::allocator<float>>, std::allocator<std::vector<float, std::allocator<float>>>>&, bool) /whisper.cpp/examples/common-whisper.cpp:75:25
#3 0x5618e266ce21 in main /whisper.cpp/examples/cli/cli.cpp:1118:14
#4 0x7f3165164d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
#5 0x7f3165164e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
#6 0x5618e2590f74 in _start (/whisper.cpp/INS/bin/whisper-cli+0x42f74) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89)
Address 0x7f316360c1c8 is located in stack of thread T0 at offset 456 in frame
#0 0x5618e289c49f in read_audio_data(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<float, std::allocator<float>>&, std::vector<std::vector<float, std::allocator<float>>, std::allocator<std::vector<float, std::allocator<float>>>>&, bool) /whisper.cpp/examples/common-whisper.cpp:42
This frame has 10 object(s):
[32, 36) 'format.i.i'
[48, 52) 'channels.i.i'
[64, 68) 'sampleRate.i.i'
[80, 88) 'internalLengthInPCMFrames.i'
[112, 136) 'audio_data' (line 43)
[176, 320) 'decoder_config' (line 46)
[384, 936) 'decoder' (line 47) <== Memory access at offset 456 is inside this variable
[1072, 1132) 'ref.tmp.sroa.8' (line 49)
[1168, 2192) 'buf' (line 56)
[2320, 2328) 'frames_read' (line 98)
SUMMARY: AddressSanitizer: bad-free (/whisper.cpp/INS/bin/whisper-cli+0xdcaf6) (BuildId: a448611ba3edcb861e5563c99615ff6fb7930e89) in __interceptor_free
==32==ABORTING