From 3c021d19b9d3905fe1f2cb3633c60ad4b595eb77 Mon Sep 17 00:00:00 2001 From: Shashank Pathmudi Date: Fri, 16 Jan 2026 10:51:53 +0530 Subject: [PATCH 1/3] Fix for integer overflow issue in ixheaacd_merge_res_decor Significance: ============= Disabling of integer overflow check in ixheaacd_merge_res_decor function as it does not involve any pointer arithmetic that can lead to Out-of-bounds issue. Bug: ossFuzz: 475582659 Test: poc in bug --- decoder/ixheaacd_mps_process.c | 1 + 1 file changed, 1 insertion(+) diff --git a/decoder/ixheaacd_mps_process.c b/decoder/ixheaacd_mps_process.c index 64663386..4d3e73f4 100644 --- a/decoder/ixheaacd_mps_process.c +++ b/decoder/ixheaacd_mps_process.c @@ -257,6 +257,7 @@ VOID ixheaacd_hybrid_qmf_analysis(ia_heaac_mps_state_struct *pstr_mps_state) { } } +ATTR_NO_SANITIZE_INTEGER VOID ixheaacd_merge_res_decor(ia_heaac_mps_state_struct *pstr_mps_state) { WORD32 ts, qs, row, res; From e8be8dcb28c71ee5b6a548836cd8ad61cefb1da1 Mon Sep 17 00:00:00 2001 From: Shashank Pathmudi Date: Fri, 16 Jan 2026 16:48:05 +0530 Subject: [PATCH 2/3] Fix for integer-overflow in ixheaacd_apply_ana_hyb_filt_bank_create_x Significance: ============ This change addresses a corner case arithmetic operations involving addition. Bug: ossFuzz: 476179559 Test: poc in bug --- decoder/ixheaacd_mps_hybrid_filt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/decoder/ixheaacd_mps_hybrid_filt.c b/decoder/ixheaacd_mps_hybrid_filt.c index 57177d32..60c1b7a4 100644 --- a/decoder/ixheaacd_mps_hybrid_filt.c +++ b/decoder/ixheaacd_mps_hybrid_filt.c @@ -760,15 +760,15 @@ VOID ixheaacd_apply_ana_hyb_filt_bank_create_x( *p_hybrid_re++ = m_temp_output_real[7]; *p_hybrid_re++ = m_temp_output_real[0]; *p_hybrid_re++ = m_temp_output_real[1]; - *p_hybrid_re++ = (m_temp_output_real[2] + m_temp_output_real[5]); - *p_hybrid_re++ = (m_temp_output_real[3] + m_temp_output_real[4]); + *p_hybrid_re++ = ixheaac_add32_sat(m_temp_output_real[2], m_temp_output_real[5]); + *p_hybrid_re++ = ixheaac_add32_sat(m_temp_output_real[3], m_temp_output_real[4]); *p_hybrid_im++ = m_temp_output_imag[6]; *p_hybrid_im++ = m_temp_output_imag[7]; *p_hybrid_im++ = m_temp_output_imag[0]; *p_hybrid_im++ = m_temp_output_imag[1]; - *p_hybrid_im++ = (m_temp_output_imag[2] + m_temp_output_imag[5]); - *p_hybrid_im++ = (m_temp_output_imag[3] + m_temp_output_imag[4]); + *p_hybrid_im++ = ixheaac_add32_sat(m_temp_output_imag[2], m_temp_output_imag[5]); + *p_hybrid_im++ = ixheaac_add32_sat(m_temp_output_imag[3], m_temp_output_imag[4]); ixheaacd_2ch_filtering( &(hyb_state->buffer_lf_real[1][time_slot + nr_samples_shift_lf + 1 - PROTO_LEN]), From 48b96c6057715f5c367d784a676fda71ee90b281 Mon Sep 17 00:00:00 2001 From: Shashank Pathmudi <100897@ittiam.com> Date: Mon, 19 Jan 2026 10:29:20 +0530 Subject: [PATCH 3/3] Fix for integer-overflow in ixheaacd_map_index_data Significance: ============ This change addresses a corner case arithmetic operations involving addition, subtraction and multiplication. Bug: ossFuzz: 476187661 Test: poc in bug --- decoder/ixheaacd_mps_bitdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/decoder/ixheaacd_mps_bitdec.c b/decoder/ixheaacd_mps_bitdec.c index 83816890..b1fbf8da 100644 --- a/decoder/ixheaacd_mps_bitdec.c +++ b/decoder/ixheaacd_mps_bitdec.c @@ -1392,7 +1392,7 @@ static IA_ERRORCODE ixheaacd_factor_funct(WORD32 ott_vs_tot_db, WORD32 quant_mod WORD32 constfact; if (ott_vs_tot_db > 0) return IA_XHEAAC_MPS_DEC_EXE_FATAL_INVALID_MPS_PARAM; - db_diff = -ott_vs_tot_db; + db_diff = ixheaac_negate32_sat(ott_vs_tot_db); switch (quant_mode) { case QUANT_MODE_0: @@ -1416,7 +1416,9 @@ static IA_ERRORCODE ixheaacd_factor_funct(WORD32 ott_vs_tot_db, WORD32 quant_mod if (db_diff > (x_linear << 5)) { WORD32 db_diff_fix = db_diff >> 5; - *factor = (db_diff_fix - (WORD32)x_linear) * constfact + ONE_IN_Q24; + *factor = ixheaac_add32_sat( + ixheaac_sat64_32(ixheaac_mult64(ixheaac_sub32_sat(db_diff_fix, x_linear), constfact)), + ONE_IN_Q24); } else { *factor = ONE_IN_Q24; }