From 44ac411683e7cfbfdb1f58e02d54377d709c8dd4 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 9 May 2018 13:32:45 +0200
Subject: FDK patches: fix overflows in decoder out-of-band config

Bug: 71430241
Bug: 79220129
Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac
      cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc

Unsigned Integer Overflows in CDataStreamElement_Read()

Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979

Unsigned Integer Overflow in CProgramConfig_ReadHeightExt()

Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42

Unsigned Integer Overflow in transportDec_OutOfBandConfig()

Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2

Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc()

Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8

Unsigned Integer Overflows in ReadPsData()

Change-Id: Id36576fe545236860a06f17971494ecd4484c494

Unsigned Integer Overflow in SpatialDecParseSpecificConfig()

Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7

Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension()

Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba
---
 libAACdec/src/aacdecoder.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'libAACdec')

diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 64adb56..3cbdffd 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -437,7 +437,8 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
                                                  UCHAR *elementInstanceTag,
                                                  UINT alignmentAnchor) {
   AAC_DECODER_ERROR error = AAC_DEC_OK;
-  UINT dataStart, dseBits;
+  UINT dseBits;
+  INT dataStart;
   int dataByteAlignFlag, count;
 
   FDK_ASSERT(self != NULL);
@@ -460,14 +461,14 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
     FDKbyteAlign(bs, alignmentAnchor);
   }
 
-  dataStart = FDKgetValidBits(bs);
+  dataStart = (INT)FDKgetValidBits(bs);
 
   error = CAacDecoder_AncDataParse(&self->ancData, bs, count);
   transportDec_CrcEndReg(self->hInput, crcReg);
 
   {
     /* Move to the beginning of the data chunk */
-    FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
+    FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
 
     /* Read Anc data if available */
     aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA);
@@ -477,7 +478,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
     PCMDMX_ERROR dmxErr = PCMDMX_OK;
 
     /* Move to the beginning of the data chunk */
-    FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
+    FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
 
     /* Read DMX meta-data */
     dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */);
@@ -487,8 +488,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
   }
 
   /* Move to the very end of the element. */
-  FDKpushBiDirectional(
-      bs, (INT)FDKgetValidBits(bs) - (INT)dataStart + (INT)dseBits);
+  FDKpushBiDirectional(bs, (INT)FDKgetValidBits(bs) - dataStart + (INT)dseBits);
 
   return error;
 }
-- 
cgit v1.2.3