From 81933bc6eb4a0dd3c32dac96ab1e4d922d4bb5c7 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 Jun 2018 18:18:14 +0200 Subject: Unsigned Integer Overflow in transportDec_readHeader(). Bug: 112662270 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I0beedab38175fc57e5bd9eb5700a3850ef2bebf7 --- libMpegTPDec/src/tpdec_lib.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 1d8b7b3..a91dd8a 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -871,7 +871,7 @@ static TRANSPORTDEC_ERROR transportDec_readHeader( int fConfigFound = (pfConfigFound != NULL) ? *pfConfigFound : 0; int startPos; - startPos = FDKgetValidBits(hBs); + startPos = (INT)FDKgetValidBits(hBs); switch (hTp->transportFmt) { case TT_MP4_ADTS: @@ -941,7 +941,7 @@ static TRANSPORTDEC_ERROR transportDec_readHeader( fTraverseMoreFrames = 0; } syncLayerFrameBits = (hTp->parser.adts.bs.frame_length << 3) - - ((INT)startPos - (INT)FDKgetValidBits(hBs)) - + (startPos - (INT)FDKgetValidBits(hBs)) - syncLength; if (syncLayerFrameBits <= 0) { err = TRANSPORTDEC_SYNC_ERROR; @@ -952,7 +952,7 @@ static TRANSPORTDEC_ERROR transportDec_readHeader( break; case TT_MP4_LOAS: if (hTp->numberOfRawDataBlocks <= 0) { - syncLayerFrameBits = FDKreadBits(hBs, 13); + syncLayerFrameBits = (INT)FDKreadBits(hBs, 13); hTp->parser.latm.m_audioMuxLengthBytes = syncLayerFrameBits; syncLayerFrameBits <<= 3; } @@ -974,7 +974,7 @@ static TRANSPORTDEC_ERROR transportDec_readHeader( hTp->numberOfRawDataBlocks = CLatmDemux_GetNrOfSubFrames(&hTp->parser.latm); if (hTp->transportFmt == TT_MP4_LOAS) { - syncLayerFrameBits -= startPos - FDKgetValidBits(hBs) - (13); + syncLayerFrameBits -= startPos - (INT)FDKgetValidBits(hBs) - (13); } } } else { -- cgit v1.2.3