From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 23 May 2018 18:26:27 +0200
Subject: FDKv2 ubsan patches

Bug: 80053205
Test: see bug for repro with FB "wow"
   atest DecoderTestAacDrc

Fix signed integer overflows in CLpc_SynthesisLattice()

Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06

Fix signed integer overflows in imlt

Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24

Fix overflow in addLowbandEnergies()

Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa

Concealment fix for audio frames containing acelp components

Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e

Fix out-of-bounds access in PS concealment

Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88

Fix potential memory leak in setup of qmf domain

Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2

Reject channel config 13

Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5

Fix unsigned integer overflow in configExtension()

Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b

Fix unsigned integer overflow in CAacDecoder_DecodeFrame()

Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439

Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters()

Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526

Fix unsigned integer overflow in transportDec_readStream()

Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b
---
 libMpegTPDec/src/tpdec_asc.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_asc.cpp')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index b7fd2a1..b0f1c6a 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1618,7 +1618,7 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
     usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16);
 
     /* Start bit position of config extension */
-    nbits = FDKgetValidBits(hBs);
+    nbits = (INT)FDKgetValidBits(hBs);
 
     /* Return an error in case the bitbuffer fill level is too low. */
     if (nbits < usacConfigExtLength * 8) {
@@ -1650,7 +1650,7 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
 
     /* Skip remaining bits. If too many bits were parsed, assume error. */
     usacConfigExtLength =
-        8 * usacConfigExtLength - (nbits - FDKgetValidBits(hBs));
+        8 * usacConfigExtLength - (nbits - (INT)FDKgetValidBits(hBs));
     if (usacConfigExtLength < 0) {
       return TRANSPORTDEC_PARSE_ERROR;
     }
-- 
cgit v1.2.3