Merge "Prevent bit buffer counter overflow." into pi-dev
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index b8b1327..362e0b6 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -2519,8 +2519,14 @@
     if (!(self->flags[0] &
           (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER)))
       type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3);
-    else
+    else {
+      if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+        self->frameOK = 0;
+        ErrorStatus = AAC_DEC_PARSE_ERROR;
+        break;
+      }
       type = self->elements[element_count];
+    }
 
     if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) &&
          element_count == 0) ||
@@ -2564,6 +2570,11 @@
       case ID_USAC_SCE:
       case ID_USAC_CPE:
       case ID_USAC_LFE:
+        if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
 
         el_channels = CAacDecoder_GetELChannels(
             type, self->usacStereoConfigIndex[element_count]);
@@ -2795,12 +2806,24 @@
       } break;
 
       case ID_EXT:
+        if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
+
         ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr(
             self, bs, previous_element, previous_element_index, element_count,
             el_cnt);
         break;
 
       case ID_USAC_EXT: {
+        if ((element_count - element_count_prev_streams) >=
+            TP_USAC_MAX_ELEMENTS) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
         /* parse extension element payload
            q.v. rsv603daExtElement() ISO/IEC DIS 23008-3  Table 30
            or   UsacExElement() ISO/IEC FDIS 23003-3:2011(E)  Table 21
diff --git a/libAACdec/src/conceal.cpp b/libAACdec/src/conceal.cpp
index a6064b6..569d672 100644
--- a/libAACdec/src/conceal.cpp
+++ b/libAACdec/src/conceal.cpp
@@ -2080,11 +2080,11 @@
       noiseVal = FX_DBL2FX_PCM(fMult(noiseValLong, TDNoiseAtt));
 
       /* add filtered noise - check for clipping, before */
-      if (pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal &&
-          noiseVal > (FIXP_PCM)0) {
+      if (noiseVal > (FIXP_PCM)0 &&
+          pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal) {
         noiseVal = noiseVal * (FIXP_PCM)-1;
-      } else if (pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal &&
-                 noiseVal < (FIXP_PCM)0) {
+      } else if (noiseVal < (FIXP_PCM)0 &&
+                 pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal) {
         noiseVal = noiseVal * (FIXP_PCM)-1;
       }
 
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index b0f1c6a..8d411e8 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -2102,7 +2102,9 @@
     self->m_aot = getAOT(bs);
     self->m_samplingFrequency =
         getSampleRate(bs, &self->m_samplingFrequencyIndex, 4);
-    if (self->m_samplingFrequency <= 0) {
+    if (self->m_samplingFrequency <= 0 ||
+        (self->m_samplingFrequency > 96000 && self->m_aot != 39) ||
+        self->m_samplingFrequency > 4 * 96000) {
       return TRANSPORTDEC_PARSE_ERROR;
     }