From b325367b332525e82ab331e3750a955a0679529a Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 8 Jun 2018 18:08:57 +0200
Subject: [PATCH] Unsigned Integer Overflow in
 SpatialDecParseSpecificConfigHeader().

Bug: 112661893
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc

Change-Id: I5994a55f993835fa511ff61a337726b3e51aed5d
---
 libSACdec/src/sac_bitdec.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp
index 37e0cf2..45fb17a 100644
--- a/libSACdec/src/sac_bitdec.cpp
+++ b/libSACdec/src/sac_bitdec.cpp
@@ -291,13 +291,13 @@ SACDEC_ERROR SpatialDecParseSpecificConfigHeader(
   if (sacHeaderLen == 127) {
     sacHeaderLen += FDKreadBits(bitstream, 16);
   }
-  numFillBits = FDKgetValidBits(bitstream);
+  numFillBits = (INT)FDKgetValidBits(bitstream);
 
   err = SpatialDecParseSpecificConfig(bitstream, pSpatialSpecificConfig,
                                       sacHeaderLen, coreCodec);
 
   numFillBits -=
-      FDKgetValidBits(bitstream); /* the number of read bits (tmpBits) */
+      (INT)FDKgetValidBits(bitstream); /* the number of read bits (tmpBits) */
   numFillBits = (8 * sacHeaderLen) - numFillBits;
   if (numFillBits < 0) {
     /* Parsing went wrong */