From e3b9058b8b72ccc890014c597b25a7cedfd555e3 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:08:09 +0100
Subject: Avoid unsigned integer overflows in FDK_Feed().

Bug: 146937030
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I7bd63c2fbfed2612c80d3334d1339e1cd215e034
---
 libFDK/src/FDK_bitbuffer.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libFDK/src/FDK_bitbuffer.cpp b/libFDK/src/FDK_bitbuffer.cpp
index 98905ea..9b7f5b8 100644
--- a/libFDK/src/FDK_bitbuffer.cpp
+++ b/libFDK/src/FDK_bitbuffer.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -368,7 +368,10 @@ void FDK_Feed(HANDLE_FDK_BITBUF hBitBuf, const UCHAR *RESTRICT inputBuffer,
 
   UINT bTotal = 0;
 
-  UINT bToRead = (hBitBuf->bufBits - hBitBuf->ValidBits) >> 3;
+  UINT bToRead =
+      fMin(hBitBuf->bufBits,
+           (UINT)fMax(0, ((INT)hBitBuf->bufBits - (INT)hBitBuf->ValidBits))) >>
+      3;
   UINT noOfBytes =
       fMin(bToRead,
            *bytesValid);  //(bToRead < *bytesValid) ? bToRead : *bytesValid ;
@@ -384,7 +387,7 @@ void FDK_Feed(HANDLE_FDK_BITBUF hBitBuf, const UCHAR *RESTRICT inputBuffer,
               bToRead * sizeof(UCHAR));
 
     /* add noOfBits to number of valid bits in buffer */
-    hBitBuf->ValidBits += bToRead << 3;
+    hBitBuf->ValidBits = (UINT)((INT)hBitBuf->ValidBits + (INT)(bToRead << 3));
     bTotal += bToRead;
     inputBuffer += bToRead;
 
-- 
cgit v1.2.3