Merge "Unsigned Integer Overflow in InitSegmentBitfield()"
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 24907ee..8993927 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -775,7 +775,7 @@
     /* For every AU get length and offset in the bitstream */
     prerollAULength[i] = escapedValue(hBs, 16, 16, 0);
     if (prerollAULength[i] > 0) {
-      prerollAUOffset[i] = auStartAnchor - FDKgetValidBits(hBs);
+      prerollAUOffset[i] = auStartAnchor - (INT)FDKgetValidBits(hBs);
       independencyFlag = FDKreadBit(hBs);
       if (i == 0 && !independencyFlag) {
         *numPrerollAU = 0;
diff --git a/libAACdec/src/channelinfo.h b/libAACdec/src/channelinfo.h
index 45a288f..4523400 100644
--- a/libAACdec/src/channelinfo.h
+++ b/libAACdec/src/channelinfo.h
@@ -359,7 +359,7 @@
   shouldBeUnion {
     struct {
       FIXP_DBL fac_data0[LFAC];
-      UCHAR fac_data_e[4];
+      SCHAR fac_data_e[4];
       FIXP_DBL
       *fac_data[4]; /* Pointers to unused parts of pSpectralCoefficient */
 
diff --git a/libAACdec/src/usacdec_acelp.cpp b/libAACdec/src/usacdec_acelp.cpp
index af1f488..9fecebf 100644
--- a/libAACdec/src/usacdec_acelp.cpp
+++ b/libAACdec/src/usacdec_acelp.cpp
@@ -579,11 +579,11 @@
     L_tmp = (FIXP_DBL)0;
 
     for (j = 0; j < M_LP_FILTER_ORDER; j++) {
-      L_tmp -= fMultDiv2(a[j], y[i - (j + 1)]);
+      L_tmp -= fMultDiv2(a[j], y[i - (j + 1)]) >> (LP_FILTER_SCALE - 1);
     }
 
-    L_tmp = scaleValue(L_tmp, a_exp + 1);
-    y[i] = L_tmp + x[i];
+    L_tmp = scaleValue(L_tmp, a_exp + LP_FILTER_SCALE);
+    y[i] = fAddSaturate(L_tmp, x[i]);
   }
 
   return;
@@ -631,10 +631,10 @@
     s = (FIXP_DBL)0;
 
     for (j = 0; j < M_LP_FILTER_ORDER; j++) {
-      s += fMultDiv2(a[j], x[i - j - 1]);
+      s += fMultDiv2(a[j], x[i - j - 1]) >> (LP_FILTER_SCALE - 1);
     }
 
-    s = scaleValue(s, a_exp + 1);
+    s = scaleValue(s, a_exp + LP_FILTER_SCALE);
     y[i] = fAddSaturate(s, x[i]);
   }
 
diff --git a/libAACdec/src/usacdec_const.h b/libAACdec/src/usacdec_const.h
index c7dbae7..f68e808 100644
--- a/libAACdec/src/usacdec_const.h
+++ b/libAACdec/src/usacdec_const.h
@@ -115,6 +115,7 @@
 
 /* definitions which are independent of coreCoderFrameLength */
 #define M_LP_FILTER_ORDER 16 /* LP filter order */
+#define LP_FILTER_SCALE 4    /* LP filter scale */
 
 #define PIT_MIN_12k8 34    /* Minimum pitch lag with resolution 1/4 */
 #define PIT_MAX_12k8 231   /* Maximum pitch lag for fs=12.8kHz */
diff --git a/libAACdec/src/usacdec_fac.cpp b/libAACdec/src/usacdec_fac.cpp
index 71ce4a9..c10a3fe 100644
--- a/libAACdec/src/usacdec_fac.cpp
+++ b/libAACdec/src/usacdec_fac.cpp
@@ -142,7 +142,7 @@
   return ptr;
 }
 
-int CLpd_FAC_Read(HANDLE_FDK_BITSTREAM hBs, FIXP_DBL *pFac, UCHAR *pFacScale,
+int CLpd_FAC_Read(HANDLE_FDK_BITSTREAM hBs, FIXP_DBL *pFac, SCHAR *pFacScale,
                   int length, int use_gain, int frame) {
   FIXP_DBL fac_gain;
   int fac_gain_e = 0;
@@ -191,13 +191,11 @@
     L_tmp = (FIXP_DBL)0;
 
     for (j = 0; j < fMin(i, M_LP_FILTER_ORDER); j++) {
-      L_tmp -= fMultDiv2(a[j], x[i - (j + 1)]);
+      L_tmp -= fMultDiv2(a[j], x[i - (j + 1)]) >> (LP_FILTER_SCALE - 1);
     }
 
-    L_tmp = scaleValue(L_tmp, a_exp + 1);
-
-    x[i] = scaleValueSaturate((x[i] >> 1) + (L_tmp >> 1),
-                              1); /* Avoid overflow issues and saturate. */
+    L_tmp = scaleValue(L_tmp, a_exp + LP_FILTER_SCALE);
+    x[i] = fAddSaturate(x[i], L_tmp);
   }
 }
 
@@ -538,7 +536,7 @@
   if (total_gain != (FIXP_DBL)0) {
     scaleValuesWithFactor(pSpec, total_gain, tl, spec_scale[0] + scale);
   } else {
-    scaleValues(pSpec, tl, spec_scale[0] + scale);
+    scaleValuesSaturate(pSpec, tl, spec_scale[0] + scale);
   }
 
   pOut1 += fl / 2 - 1;
@@ -627,7 +625,7 @@
     if (total_gain != (FIXP_DBL)0) {
       scaleValuesWithFactor(pSpec, total_gain, tl, spec_scale[w] + scale);
     } else {
-      scaleValues(pSpec, tl, spec_scale[w] + scale);
+      scaleValuesSaturate(pSpec, tl, spec_scale[w] + scale);
     }
 
     if (noOutSamples <= nrSamples) {
diff --git a/libAACdec/src/usacdec_fac.h b/libAACdec/src/usacdec_fac.h
index bf13552..100a6fa 100644
--- a/libAACdec/src/usacdec_fac.h
+++ b/libAACdec/src/usacdec_fac.h
@@ -131,7 +131,7 @@
  * Always 0 for FD case.
  * \return 0 on success, -1 on error.
  */
-int CLpd_FAC_Read(HANDLE_FDK_BITSTREAM hBs, FIXP_DBL *pFac, UCHAR *pFacScale,
+int CLpd_FAC_Read(HANDLE_FDK_BITSTREAM hBs, FIXP_DBL *pFac, SCHAR *pFacScale,
                   int length, int use_gain, int frame);
 
 /**
diff --git a/libAACdec/src/usacdec_lpd.cpp b/libAACdec/src/usacdec_lpd.cpp
index fde34ef..2110172 100644
--- a/libAACdec/src/usacdec_lpd.cpp
+++ b/libAACdec/src/usacdec_lpd.cpp
@@ -418,6 +418,7 @@
     FIXP_DBL tmp_pow2[32];
 
     s = s * 2 + ALFDPOW2_SCALE;
+    s = fMin(31, s);
 
     k = 8;
     i_max = lg / 4; /* ALFD range = 1600Hz (lg = 6400Hz) */
diff --git a/libAACenc/src/aacenc_lib.cpp b/libAACenc/src/aacenc_lib.cpp
index 11db3da..f92cff4 100644
--- a/libAACenc/src/aacenc_lib.cpp
+++ b/libAACenc/src/aacenc_lib.cpp
@@ -1733,9 +1733,10 @@
   }
 
   /* check if buffer descriptors are filled out properly. */
-  if ((AACENC_OK != validateBufDesc(inBufDesc)) ||
-      (AACENC_OK != validateBufDesc(outBufDesc)) || (inargs == NULL) ||
-      (outargs == NULL)) {
+  if ((inargs == NULL) || (outargs == NULL) ||
+      ((AACENC_OK != validateBufDesc(inBufDesc)) &&
+       (inargs->numInSamples > 0)) ||
+      (AACENC_OK != validateBufDesc(outBufDesc))) {
     err = AACENC_UNSUPPORTED_PARAMETER;
     goto bail;
   }
diff --git a/libArithCoding/src/ac_arith_coder.cpp b/libArithCoding/src/ac_arith_coder.cpp
index b791f39..a433b08 100644
--- a/libArithCoding/src/ac_arith_coder.cpp
+++ b/libArithCoding/src/ac_arith_coder.cpp
@@ -609,13 +609,16 @@
   return (j & 0x3F);
 }
 
-static void decode2(HANDLE_FDK_BITSTREAM bbuf, UCHAR *RESTRICT c_prev,
-                    FIXP_DBL *RESTRICT pSpectralCoefficient, INT n, INT nt) {
+static ARITH_CODING_ERROR decode2(HANDLE_FDK_BITSTREAM bbuf,
+                                  UCHAR *RESTRICT c_prev,
+                                  FIXP_DBL *RESTRICT pSpectralCoefficient,
+                                  INT n, INT nt) {
   Tastat as;
   int i, l, r;
   INT lev, esc_nb, pki;
   USHORT state_inc;
   UINT s;
+  ARITH_CODING_ERROR ErrorStatus = ARITH_CODER_OK;
 
   int c_3 = 0; /* context of current frame 3 time steps ago */
   int c_2 = 0; /* context of current frame 2 time steps ago */
@@ -655,6 +658,8 @@
 
       lev++;
 
+      if (lev > 23) return ARITH_CODER_ERROR;
+
       if (esc_nb < 7) {
         esc_nb++;
       }
@@ -721,6 +726,8 @@
   }
 
   FDKmemset(&c_prev[i], 1, sizeof(c_prev[0]) * (nt - i));
+
+  return ErrorStatus;
 }
 
 CArcoData *CArco_Create(void) { return GetArcoData(); }
@@ -763,7 +770,8 @@
   pArcoData->m_numberLinesPrev = lg_max;
 
   if (lg > 0) {
-    decode2(hBs, pArcoData->c_prev + 2, mdctSpectrum, lg >> 1, lg_max >> 1);
+    ErrorStatus =
+        decode2(hBs, pArcoData->c_prev + 2, mdctSpectrum, lg >> 1, lg_max >> 1);
   } else {
     FDKmemset(&pArcoData->c_prev[2], 1,
               sizeof(pArcoData->c_prev[2]) * (lg_max >> 1));
diff --git a/libFDK/include/scale.h b/libFDK/include/scale.h
index 07bd3af..30fa089 100644
--- a/libFDK/include/scale.h
+++ b/libFDK/include/scale.h
@@ -268,11 +268,11 @@
  * to avoid problems when inverting the sign of the result.
  */
 #ifndef SATURATE_LEFT_SHIFT_ALT
-#define SATURATE_LEFT_SHIFT_ALT(src, scale, dBits)                       \
-  (((LONG)(src) > ((LONG)(((1U) << ((dBits)-1)) - 1) >> (scale)))        \
-       ? (LONG)(((1U) << ((dBits)-1)) - 1)                               \
-       : ((LONG)(src) < ~((LONG)(((1U) << ((dBits)-1)) - 2) >> (scale))) \
-             ? ~((LONG)(((1U) << ((dBits)-1)) - 2))                      \
+#define SATURATE_LEFT_SHIFT_ALT(src, scale, dBits)                        \
+  (((LONG)(src) > ((LONG)(((1U) << ((dBits)-1)) - 1) >> (scale)))         \
+       ? (LONG)(((1U) << ((dBits)-1)) - 1)                                \
+       : ((LONG)(src) <= ~((LONG)(((1U) << ((dBits)-1)) - 1) >> (scale))) \
+             ? ~((LONG)(((1U) << ((dBits)-1)) - 2))                       \
              : ((LONG)(src) << (scale)))
 #endif