From 262c9f28ec50e2ebbd2cdd64bd82831d957cf420 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:47 +0100
Subject: Avoid negative valid bits in adtsRead_DecodeHeader()

Avoid negative valid bits in adtsRead_DecodeHeader()
and prevent unsigned integer overflow.

Bug: 146937602
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I264ff99e0461352ae5c2b2031393b67a7fa44571
---
 libMpegTPDec/src/tpdec_adts.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 1a4e3fd..63cc44f 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -322,7 +322,13 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
       CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
-      pceBits = alignAnchor - FDKgetValidBits(hBs);
+      pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
+      adtsHeaderLength += pceBits;
+
+      if (pceBits > (INT)alignAnchor) {
+        goto bail;
+      }
+
       /* store the number of PCE bits */
       bs.num_pce_bits = pceBits;
     } else {
-- 
cgit v1.2.3