Unsigned Integer Overflow in InitSegmentBitfield()
Bug: 112662995
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Ida3b1d49dc35a03a3ff02f6e150cfb55e9e1da11
diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index 1d5aa27..d2bc867 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp
@@ -367,7 +367,10 @@
UINT tempWord;
USHORT numValidSegment;
- *pNumWordForBitfield = ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
+ *pNumWordForBitfield =
+ (*pNumSegment == 0)
+ ? 0
+ : ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
/* loop over all words, which are completely used or only partial */
/* bit in pSegmentBitfield is zero if segment is empty; bit in