From 5522e52e5a6efc569cb5607f38132b0619f5d655 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 8 May 2020 16:41:29 +0200
Subject: [PATCH] Prevent signed integer overflow in calc_qmfBufferReal().

Bug: 186706541
Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc
Change-Id: I6d12fba9d958280ead368fcc4c6c5c79dc0111e2
---
 libSBRdec/src/lpp_tran.cpp | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp
index 93e1158..ed1a764 100644
--- a/libSBRdec/src/lpp_tran.cpp
+++ b/libSBRdec/src/lpp_tran.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -220,19 +220,21 @@ static inline void calc_qmfBufferReal(FIXP_DBL **qmfBufferReal,
                                       const FIXP_DBL *const lowBandReal,
                                       const int startSample,
                                       const int stopSample, const UCHAR hiBand,
-                                      const int dynamicScale, const int descale,
+                                      const int dynamicScale,
                                       const FIXP_SGL a0r, const FIXP_SGL a1r) {
-  FIXP_DBL accu1, accu2;
-  int i;
+  const int dynscale = fixMax(0, dynamicScale - 1) + 1;
+  const int rescale = -fixMin(0, dynamicScale - 1) + 1;
+  const int descale =
+      fixMin(DFRACT_BITS - 1, LPC_SCALE_FACTOR + dynamicScale + rescale);
 
-  for (i = 0; i < stopSample - startSample; i++) {
-    accu1 = fMultDiv2(a1r, lowBandReal[i]);
-    accu1 = (fMultDiv2(a0r, lowBandReal[i + 1]) + accu1);
-    accu1 = accu1 >> dynamicScale;
+  for (int i = 0; i < stopSample - startSample; i++) {
+    FIXP_DBL accu;
 
-    accu1 <<= 1;
-    accu2 = (lowBandReal[i + 2] >> descale);
-    qmfBufferReal[i + startSample][hiBand] = accu1 + accu2;
+    accu = fMultDiv2(a1r, lowBandReal[i]) + fMultDiv2(a0r, lowBandReal[i + 1]);
+    accu = (lowBandReal[i + 2] >> descale) + (accu >> dynscale);
+
+    qmfBufferReal[i + startSample][hiBand] =
+        SATURATE_LEFT_SHIFT(accu, rescale, DFRACT_BITS);
   }
 }
 
@@ -814,9 +816,7 @@ void lppTransposer(
           FDK_ASSERT(dynamicScale >= 0);
           calc_qmfBufferReal(
               qmfBufferReal, &(lowBandReal[LPC_ORDER + startSample - 2]),
-              startSample, stopSample, hiBand, dynamicScale,
-              fMin(DFRACT_BITS - 1, (LPC_SCALE_FACTOR + dynamicScale)), a0r,
-              a1r);
+              startSample, stopSample, hiBand, dynamicScale, a0r, a1r);
         }
       } /* bw <= 0 */