From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 23 May 2018 18:26:27 +0200
Subject: FDKv2 ubsan patches

Bug: 80053205
Test: see bug for repro with FB "wow"
   atest DecoderTestAacDrc

Fix signed integer overflows in CLpc_SynthesisLattice()

Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06

Fix signed integer overflows in imlt

Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24

Fix overflow in addLowbandEnergies()

Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa

Concealment fix for audio frames containing acelp components

Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e

Fix out-of-bounds access in PS concealment

Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88

Fix potential memory leak in setup of qmf domain

Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2

Reject channel config 13

Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5

Fix unsigned integer overflow in configExtension()

Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b

Fix unsigned integer overflow in CAacDecoder_DecodeFrame()

Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439

Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters()

Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526

Fix unsigned integer overflow in transportDec_readStream()

Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b
---
 libAACdec/src/aacdecoder.cpp | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'libAACdec/src/aacdecoder.cpp')

diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 3cbdffd..b8b1327 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -1589,9 +1589,6 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc,
     case 14:
       ascChannels = 8;
       break;
-    case 13: /* 22.2 setup */
-      ascChannels = 24;
-      break;
     default:
       return AAC_DEC_UNSUPPORTED_CHANNELCONFIG;
   }
@@ -2837,7 +2834,7 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
               /* usacExtElementStop = 1; */
             }
 
-            usacExtBitPos = FDKgetValidBits(bs);
+            usacExtBitPos = (INT)FDKgetValidBits(bs);
 
             USAC_EXT_ELEMENT_TYPE usacExtElementType =
                 self->pUsacConfig[streamIndex]
@@ -2862,7 +2859,7 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
 
             /* Skip any remaining bits of extension payload */
             usacExtBitPos = (usacExtElementPayloadLength * 8) -
-                            (usacExtBitPos - FDKgetValidBits(bs));
+                            (usacExtBitPos - (INT)FDKgetValidBits(bs));
             if (usacExtBitPos < 0) {
               self->frameOK = 0;
               ErrorStatus = AAC_DEC_PARSE_ERROR;
-- 
cgit v1.2.3