Merge cherrypicks of [4314173, 4314174, 4314175, 4314176, 4314471, 4314472, 4314473, 4314474, 4314475, 4314645, 4314646, 4314193, 4314476, 4314477, 4315350, 4315351, 4315352, 4315353, 4315354, 4314478, 4315430, 4314194, 4314195, 4314196, 4314197, 4314198, 4314199, 4314200, 4315093, 4315094, 4315095, 4315096, 4315097, 4315098, 4315099, 4315100, 4315501, 4315502, 4315503, 4314177, 4315431, 4315432, 4315433, 4315434, 4314178, 4314179, 4315355, 4315435, 4315382, 4315403, 4315404, 4315436, 4315437, 4315438, 4315439, 4315440, 4315521, 4315522, 4315523, 4315524, 4315525, 4315526, 4315527, 4315528, 4315529, 4314035, 4314230, 4315356, 4315530, 4315531, 4315471, 4315357, 4315358, 4314479, 4315532, 4315533, 4315534, 4315535, 4315536] into sparse-4732991-L06700000181398573android-8.1.0_r40 oreo-m4-s10-release

Change-Id: I63816bf06620e457af0fba35bd2226b0f703983d
author: android-build-team Robot <android-build-team-robot@google.com> 2018-06-11 22:31:44 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-06-11 22:31:44 +0000
commit: 7b33200e1e2429772573cf8b59dbacedb08e9f8d (patch)
tree: 330602c62544ba2a780117efe94fed0f92960407
parent: 31ce4285cd728af7f5f30c9ec9b25f12e28b676e (diff)
parent: 5431dab7ddcf02a511da671a709eed3e9598ff8f (diff)
download: sonivox-oreo-m4-s10-release.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_smf.c b/arm-wt-22k/lib_src/eas_smf.c
index 8b54b8e..3c284eb 100644
--- a/arm-wt-22k/lib_src/eas_smf.c
+++ b/arm-wt-22k/lib_src/eas_smf.c
@@ -29,6 +29,8 @@
  *----------------------------------------------------------------------------
 */
 
+#include "log/log.h"
+
 #include "eas_data.h"
 #include "eas_miditypes.h"
 #include "eas_parser.h"
@@ -833,6 +835,20 @@ static EAS_RESULT SMF_ParseMetaEvent (S_EAS_DATA *pEASData, S_SMF_DATA *pSMFData
     /* get the current file position so we can skip the event */
     if ((result = EAS_HWFilePos(pEASData->hwInstData, pSMFStream->fileHandle, &pos)) != EAS_SUCCESS)
         return result;
+
+    /* prevent a large unsigned length from being treated as a negative length */
+    if ((EAS_I32) len < 0) {
+        /* note that EAS_I32 is a long, which can be 64-bits on some computers */
+        ALOGE("b/68953854 SMF_ParseMetaEvent, negative len = %ld\n", (EAS_I32) len);
+        return EAS_ERROR_FILE_FORMAT;
+    }
+    /* prevent numeric overflow caused by a very large len, assume pos > 0 */
+    const EAS_I32 EAS_I32_MAX = 0x7FFFFFFF;
+    if ((EAS_I32) len > (EAS_I32_MAX - pos)) {
+        ALOGE("b/68953854 SMF_ParseMetaEvent, too large len = %ld\n", (EAS_I32) len);
+        return EAS_ERROR_FILE_FORMAT;
+    }
+
     pos += (EAS_I32) len;
 
     /* end of track? */
author	android-build-team Robot <android-build-team-robot@google.com>	2018-06-11 22:31:44 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-06-11 22:31:44 +0000
commit	7b33200e1e2429772573cf8b59dbacedb08e9f8d (patch)
tree	330602c62544ba2a780117efe94fed0f92960407
parent	31ce4285cd728af7f5f30c9ec9b25f12e28b676e (diff)
parent	5431dab7ddcf02a511da671a709eed3e9598ff8f (diff)
download	sonivox-oreo-m4-s10-release.tar.gz