From ade11a1d6f3954ded789afcdac8ef4c80f9bb2f9 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 18 Oct 2019 14:04:50 +0200
Subject: [PATCH] Prevent signed integer overflows in CLpd_FAC_Mdct2Acelp().

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I348fe4be577ac39f961352902d138a8e07982096
---
 libAACdec/src/usacdec_fac.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libAACdec/src/usacdec_fac.cpp b/libAACdec/src/usacdec_fac.cpp
index 3c0b1ce..b246171 100644
--- a/libAACdec/src/usacdec_fac.cpp
+++ b/libAACdec/src/usacdec_fac.cpp
@@ -344,7 +344,7 @@ INT CLpd_FAC_Mdct2Acelp(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *pFac,
       /* Overlap Add */
       x0 = -fMult(*pOvl--, pWindow[i].v.re);
 
-      *pOut0 += IMDCT_SCALE_DBL(x0);
+      *pOut0 = fAddSaturate(*pOut0, IMDCT_SCALE_DBL(x0));
       pOut0++;
     }
   } else {
@@ -354,7 +354,7 @@ INT CLpd_FAC_Mdct2Acelp(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *pFac,
       /* Overlap Add */
       x0 = fMult(*pOvl--, pWindow[i].v.re);
 
-      *pOut0 += IMDCT_SCALE_DBL(x0);
+      *pOut0 = fAddSaturate(*pOut0, IMDCT_SCALE_DBL(x0));
       pOut0++;
     }
   }
@@ -362,7 +362,7 @@ INT CLpd_FAC_Mdct2Acelp(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *pFac,
       0) { /* this should only happen for ACELP -> TCX20 -> ACELP transition */
     FIXP_DBL *pOut = pOut0 - fl / 2; /* fl/2 == fac_length */
     for (i = 0; i < fl / 2; i++) {
-      pOut[i] += IMDCT_SCALE_DBL(hMdct->pFacZir[i]);
+      pOut[i] = fAddSaturate(pOut[i], IMDCT_SCALE_DBL(hMdct->pFacZir[i]));
     }
     hMdct->pFacZir = NULL;
   }