From 950d8efb1a0562d1402b6c3379db4e17d71c7578 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 29 Jun 2018 16:34:55 +0200
Subject: [PATCH] Unsigned Integer Overflow in InitSegmentBitfield()

Bug: 112662995
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Ida3b1d49dc35a03a3ff02f6e150cfb55e9e1da11
---
 libAACdec/src/aacdec_hcrs.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index 1d5aa27..d2bc867 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp
@@ -367,7 +367,10 @@ static UINT InitSegmentBitfield(UINT *pNumSegment,
   UINT tempWord;
   USHORT numValidSegment;
 
-  *pNumWordForBitfield = ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
+  *pNumWordForBitfield =
+      (*pNumSegment == 0)
+          ? 0
+          : ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
 
   /* loop over all words, which are completely used or only partial */
   /* bit in pSegmentBitfield is zero if segment is empty; bit in