Merge cherrypicks of [4027695, 4027696, 4025411, 4025412, 4026839, 4025429, 4025430, 4025346, 4025347, 4025348, 4025413, 4025414, 4027656, 4027657, 4027658, 4027659, 4027097, 4027098, 4027099, 4027100, 4027101, 4027715, 4027716, 4025431, 4025349, 4027697, 4027698, 4027699, 4027700, 4027701, 4027702, 4027703, 4027704, 4027706, 4025432, 4025433, 4027708, 4027709, 4026841, 4027662, 4027664, 4027666] into sparse-4732991-L45700000171084049android-8.1.0_r32oreo-m4-s6-release

Change-Id: I5b04360eb3cc419e181b5dd538a5cd9734fdf44f

1 files changed, 16 insertions, 0 deletions

diff --git a/arm-wt-22k/lib_src/eas_smf.c b/arm-wt-22k/lib_src/eas_smf.c
index 8b54b8e..3c284eb 100644
--- a/arm-wt-22k/lib_src/eas_smf.c
+++ b/arm-wt-22k/lib_src/eas_smf.c
@@ -29,6 +29,8 @@
  *----------------------------------------------------------------------------
 */
 
+#include "log/log.h"
+
 #include "eas_data.h"
 #include "eas_miditypes.h"
 #include "eas_parser.h"
@@ -833,6 +835,20 @@ static EAS_RESULT SMF_ParseMetaEvent (S_EAS_DATA *pEASData, S_SMF_DATA *pSMFData
     /* get the current file position so we can skip the event */
     if ((result = EAS_HWFilePos(pEASData->hwInstData, pSMFStream->fileHandle, &pos)) != EAS_SUCCESS)
         return result;
+
+    /* prevent a large unsigned length from being treated as a negative length */
+    if ((EAS_I32) len < 0) {
+        /* note that EAS_I32 is a long, which can be 64-bits on some computers */
+        ALOGE("b/68953854 SMF_ParseMetaEvent, negative len = %ld\n", (EAS_I32) len);
+        return EAS_ERROR_FILE_FORMAT;
+    }
+    /* prevent numeric overflow caused by a very large len, assume pos > 0 */
+    const EAS_I32 EAS_I32_MAX = 0x7FFFFFFF;
+    if ((EAS_I32) len > (EAS_I32_MAX - pos)) {
+        ALOGE("b/68953854 SMF_ParseMetaEvent, too large len = %ld\n", (EAS_I32) len);
+        return EAS_ERROR_FILE_FORMAT;
+    }
+
     pos += (EAS_I32) len;
 
     /* end of track? */