diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2020-04-30 04:24:53 +0530 |
|---|---|---|
| committer | Anis Assi <anisassi@google.com> | 2020-06-30 16:09:53 -0700 |
| commit | 1da7b1f2da254f5afa401593847814d898649684 (patch) | |
| tree | cbee70b04852ed2a4d9e2cc963558b8cb931d6c6 | |
| parent | 9fdc11bf99b652c70d50439d8446698a4e3d9a6d (diff) | |
| download | sonivox-android-security-8.1.0_r88.tar.gz | |
Check data consistency in mdls parsingandroid-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80
Added checks to ensure consistency of waveCount, instCount,
regionCount and artCount in two passes of parsing
Bug: 150159669
Bug: 150160279
Bug: 150159906
Bug: 150160041
Test: poc in bug
Merged-In: I6f3098b029b6da56415a588882a5bb908edd3db7
Change-Id: I6f3098b029b6da56415a588882a5bb908edd3db7
(cherry picked from commit c049c140e3aff87f1c6e557437cc050dd864cc5f)
(cherry picked from commit e689e94f3b7473497052e81d906a10a82407e559)
| -rw-r--r-- | arm-wt-22k/host_src/eas_types.h | 1 | ||||
| -rw-r--r-- | arm-wt-22k/lib_src/eas_mdls.c | 32 |
2 files changed, 33 insertions, 0 deletions
diff --git a/arm-wt-22k/host_src/eas_types.h b/arm-wt-22k/host_src/eas_types.h index df1d1d8..56d0b53 100644 --- a/arm-wt-22k/host_src/eas_types.h +++ b/arm-wt-22k/host_src/eas_types.h @@ -76,6 +76,7 @@ typedef long EAS_RESULT; #define EAS_ERROR_QUEUE_IS_FULL -36 #define EAS_ERROR_QUEUE_IS_EMPTY -37 #define EAS_ERROR_FEATURE_ALREADY_ACTIVE -38 +#define EAS_ERROR_DATA_INCONSISTENCY -39 /* special return codes */ #define EAS_EOF 3 diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c index 0c1c9f6..bfe54d3 100644 --- a/arm-wt-22k/lib_src/eas_mdls.c +++ b/arm-wt-22k/lib_src/eas_mdls.c @@ -850,6 +850,15 @@ static EAS_RESULT Parse_ptbl (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &pDLSData->waveCount, EAS_FALSE)) != EAS_SUCCESS) return result; + /* if second pass, ensure waveCount matches with the value parsed in first pass */ + if (pDLSData->pDLS) + { + if (pDLSData->waveCount != pDLSData->pDLS->numDLSSamples) + { + return EAS_ERROR_DATA_INCONSISTENCY; + } + } + #if 0 /* just need the wave count on the first pass */ if (!pDLSData->pDLS) @@ -1361,6 +1370,15 @@ static EAS_RESULT Parse_lins (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ if (temp != CHUNK_INS) continue; + /* if second pass, ensure instCount is less than numDLSPrograms */ + if (pDLSData->pDLS) + { + if (pDLSData->instCount >= pDLSData->pDLS->numDLSPrograms) + { + return EAS_ERROR_DATA_INCONSISTENCY; + } + } + if ((result = Parse_ins(pDLSData, chunkPos + 12, size)) != EAS_SUCCESS) return result; } @@ -1596,6 +1614,14 @@ static EAS_RESULT Parse_lrgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ { /* dpp: EAS_ReportEx(_EAS_SEVERITY_WARNING, "DLS region count exceeded cRegions value in insh, extra region ignored\n"); */ } return EAS_SUCCESS; } + /* if second pass, ensure regionCount is less than numDLSRegions */ + if (pDLSData->pDLS) + { + if (pDLSData->regionCount >= pDLSData->pDLS->numDLSRegions) + { + return EAS_ERROR_DATA_INCONSISTENCY; + } + } if ((result = Parse_rgn(pDLSData, chunkPos + 12, size, artIndex)) != EAS_SUCCESS) return result; regionCount++; @@ -1743,6 +1769,12 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I /* if local data was found convert it */ if (art.values[PARAM_MODIFIED] == EAS_TRUE) { + /* ensure artCount is less than numDLSArticulations */ + if (pDLSData->artCount >= pDLSData->pDLS->numDLSArticulations) + { + return EAS_ERROR_DATA_INCONSISTENCY; + } + Convert_art(pDLSData, &art, (EAS_U16) pDLSData->artCount); artIndex = (EAS_U16) pDLSData->artCount; } |