From fa8a80d8901e5cba18c932da42aa659e4d6c23a2 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 15 Aug 2018 14:32:17 +0200
Subject: [PATCH] Signed Integer Overflows in imlt_block()

Bug: 112890242
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I98fda0eea7f7223d76df31776c6723b618e5b581
---
 libAACdec/src/usacdec_fac.cpp | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/libAACdec/src/usacdec_fac.cpp b/libAACdec/src/usacdec_fac.cpp
index c10a3fe..0d3d844 100644
--- a/libAACdec/src/usacdec_fac.cpp
+++ b/libAACdec/src/usacdec_fac.cpp
@@ -534,10 +534,12 @@ INT CLpd_FAC_Acelp2Mdct(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *_pSpec,
 
   /* Optional scaling of time domain - no yet windowed - of current spectrum */
   if (total_gain != (FIXP_DBL)0) {
-    scaleValuesWithFactor(pSpec, total_gain, tl, spec_scale[0] + scale);
-  } else {
-    scaleValuesSaturate(pSpec, tl, spec_scale[0] + scale);
+    for (i = 0; i < tl; i++) {
+      pSpec[i] = fMult(pSpec[i], total_gain);
+    }
   }
+  int loc_scale = fixmin_I(spec_scale[0] + scale, (INT)DFRACT_BITS - 1);
+  scaleValuesSaturate(pSpec, tl, loc_scale);
 
   pOut1 += fl / 2 - 1;
   pCurr = pSpec + tl - fl / 2;
@@ -623,10 +625,12 @@ INT CLpd_FAC_Acelp2Mdct(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *_pSpec,
      */
     /* and de-scale current spectrum signal (time domain, no yet windowed) */
     if (total_gain != (FIXP_DBL)0) {
-      scaleValuesWithFactor(pSpec, total_gain, tl, spec_scale[w] + scale);
-    } else {
-      scaleValuesSaturate(pSpec, tl, spec_scale[w] + scale);
+      for (i = 0; i < tl; i++) {
+        pSpec[i] = fMult(pSpec[i], total_gain);
+      }
     }
+    loc_scale = fixmin_I(spec_scale[w] + scale, (INT)DFRACT_BITS - 1);
+    scaleValuesSaturate(pSpec, tl, loc_scale);
 
     if (noOutSamples <= nrSamples) {
       /* Divert output first half to overlap buffer if we already got enough