From 8caa63f329c26fcf8dda71ed0a928a7c39c0f839 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:13 +0100
Subject: Avoid unsigned integer overflow in transportDec_InBandConfig() and
 transportDec_ReadAccessUnit().

Bug: 146937857
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: If2320f3a1ddf6a36c07338100481801a996e455d
---
 libMpegTPDec/src/tpdec_lib.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index ede64c9..617f9a1 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -482,7 +482,8 @@ TRANSPORTDEC_ERROR transportDec_InBandConfig(HANDLE_TRANSPORTDEC hTp,
 
         for (int i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, newConfigLength * 8 - FDKgetValidBits(hBs));
+            FDKpushBack(hBs,
+                        (INT)newConfigLength * 8 - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
           /* config transport decoder */
@@ -1469,7 +1470,7 @@ TRANSPORTDEC_ERROR transportDec_ReadAccessUnit(const HANDLE_TRANSPORTDEC hTp,
 
         for (i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, bsStart - FDKgetValidBits(hBs));
+            FDKpushBack(hBs, bsStart - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
 
-- 
cgit v1.2.3


From 8fee7605df2d8759a63faa3d0b1aac7d95dfc1af Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:33 +0100
Subject: Prevent undefined syncLayerFrameBits in synchronization().

Bug: 146937540
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Idaaa11d95c13220a9f96e6d73d4813492a740954
---
 libMpegTPDec/src/tpdec_lib.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 617f9a1..7bebbaa 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -981,6 +981,9 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               CLatmDemux_GetNrOfSubFrames(&hTp->parser.latm);
           if (hTp->transportFmt == TT_MP4_LOAS) {
             syncLayerFrameBits -= startPos - (INT)FDKgetValidBits(hBs) - (13);
+            if (syncLayerFrameBits <= 0) {
+              err = TRANSPORTDEC_SYNC_ERROR;
+            }
           }
         }
       } else {
@@ -1271,8 +1274,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
   if (!(hTp->flags & (TPDEC_LOST_FRAMES_PENDING | TPDEC_IGNORE_BUFFERFULLNESS |
                       TPDEC_SYNCOK)) &&
       err == TRANSPORTDEC_OK) {
-    err = additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
-                                  FDKgetValidBits(hBs) - syncLayerFrameBits);
+    err =
+        additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
+                                (INT)FDKgetValidBits(hBs) - syncLayerFrameBits);
     if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
       hTp->holdOffFrames++;
     }
-- 
cgit v1.2.3