[FFmpeg-devel] [PATCH] aacdec_ac: fix signed overflow in ff_aac_ac_update_context()

Fri May 23 00:46:53 EEST 2025

The issue is that state->cur[] is 8-bits, but a+b+1 can overflow
before being clipped to 0xF in the following line, causing an incorrect
state to be saved for the next symbol.

This solves numerous bitstream desyncs, particularly when coefficients
with magnitude greater than 127 are sent.
---
 libavcodec/aac/aacdec_ac.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavcodec/aac/aacdec_ac.c b/libavcodec/aac/aacdec_ac.c
index 7e5077cd19..5104604fa5 100644
--- a/libavcodec/aac/aacdec_ac.c
+++ b/libavcodec/aac/aacdec_ac.c
@@ -91,10 +91,7 @@ uint32_t ff_aac_ac_get_pk(uint32_t c)
 void ff_aac_ac_update_context(AACArithState *state, int idx,
                               uint16_t a, uint16_t b)
 {
-    state->cur[0] = a + b + 1;
-    if (state->cur[0] > 0xF)
-        state->cur[0] = 0xF;
-
+    state->cur[0] = FFMIN(a + b + 1, 0xF);
     state->cur[3] = state->cur[2];
     state->cur[2] = state->cur[1];
     state->cur[1] = state->cur[0];
-- 
2.49.0.395.g12beb8f557c
