From 512898b2985f8da79a07fd137b0ff0b6c614bf37 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 29 Jun 2018 16:34:34 +0200
Subject: Unsigned Integer Overflow in
 CAacDecoder_PreRollExtensionPayloadParse()

Bug: 112661610
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I96e2c10328fec8fd12f9c752904860b87a72bed2
---
 libAACdec/src/aacdecoder.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 24907ee..8993927 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -775,7 +775,7 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_PreRollExtensionPayloadParse(
     /* For every AU get length and offset in the bitstream */
     prerollAULength[i] = escapedValue(hBs, 16, 16, 0);
     if (prerollAULength[i] > 0) {
-      prerollAUOffset[i] = auStartAnchor - FDKgetValidBits(hBs);
+      prerollAUOffset[i] = auStartAnchor - (INT)FDKgetValidBits(hBs);
       independencyFlag = FDKreadBit(hBs);
       if (i == 0 && !independencyFlag) {
         *numPrerollAU = 0;
-- 
cgit v1.2.3