Unsigned Integer Overflow in InitSegmentBitfield() Bug: 112662995 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Ida3b1d49dc35a03a3ff02f6e150cfb55e9e1da11

commit: 950d8efb1a0562d1402b6c3379db4e17d71c7578 [log] [tgz]
author: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> Fri Jun 29 16:34:55 2018 +0200
committer: Jean-Michel Trivi <jmtrivi@google.com> Wed Dec 26 19:45:18 2018 -0500
tree: b9cb14f1472572b3907379571a86d9808fc0d93d
parent: f59fd73d4443b015b11a362c807f6b828658a799 [diff]
diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index 1d5aa27..d2bc867 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp

@@ -367,7 +367,10 @@
   UINT tempWord;
   USHORT numValidSegment;
 
-  *pNumWordForBitfield = ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
+  *pNumWordForBitfield =
+      (*pNumSegment == 0)
+          ? 0
+          : ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
 
   /* loop over all words, which are completely used or only partial */
   /* bit in pSegmentBitfield is zero if segment is empty; bit in
commit	950d8efb1a0562d1402b6c3379db4e17d71c7578	[log] [tgz]
author	Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>	Fri Jun 29 16:34:55 2018 +0200
committer	Jean-Michel Trivi <jmtrivi@google.com>	Wed Dec 26 19:45:18 2018 -0500
tree	b9cb14f1472572b3907379571a86d9808fc0d93d
parent	f59fd73d4443b015b11a362c807f6b828658a799 [diff]