diff options
author | akirilov <akirilov@google.com> | 2018-04-03 15:33:00 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2018-04-03 15:33:00 -0700 |
commit | 35388b2b37c541a33064a52492a65a196701a673 (patch) | |
tree | 330602c62544ba2a780117efe94fed0f92960407 | |
parent | 7b678a6e89b68d7d691240aa6674657df76b9a0a (diff) | |
parent | 096edd76c81c7e9ab06527b43aa8051d16289c19 (diff) | |
download | sonivox-35388b2b37c541a33064a52492a65a196701a673.tar.gz |
[automerger] sonivox: fix hang caused by bad meta-event am: ba9ea23466 am: 3983856ec1 am: 59644944e2 am: f3c51f7f1e am: d2901553df am: b0081b7c58 am: 88510ce7be am: ef8ae5940d am: 52fae8ba07 am: c315f9d3f6
am: 096edd76c8
Change-Id: I55e1201e8f34531bdf18ab3a14a24b3f210da741
-rw-r--r-- | arm-wt-22k/lib_src/eas_smf.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_smf.c b/arm-wt-22k/lib_src/eas_smf.c index 8b54b8e..3c284eb 100644 --- a/arm-wt-22k/lib_src/eas_smf.c +++ b/arm-wt-22k/lib_src/eas_smf.c @@ -29,6 +29,8 @@ *---------------------------------------------------------------------------- */ +#include "log/log.h" + #include "eas_data.h" #include "eas_miditypes.h" #include "eas_parser.h" @@ -833,6 +835,20 @@ static EAS_RESULT SMF_ParseMetaEvent (S_EAS_DATA *pEASData, S_SMF_DATA *pSMFData /* get the current file position so we can skip the event */ if ((result = EAS_HWFilePos(pEASData->hwInstData, pSMFStream->fileHandle, &pos)) != EAS_SUCCESS) return result; + + /* prevent a large unsigned length from being treated as a negative length */ + if ((EAS_I32) len < 0) { + /* note that EAS_I32 is a long, which can be 64-bits on some computers */ + ALOGE("b/68953854 SMF_ParseMetaEvent, negative len = %ld\n", (EAS_I32) len); + return EAS_ERROR_FILE_FORMAT; + } + /* prevent numeric overflow caused by a very large len, assume pos > 0 */ + const EAS_I32 EAS_I32_MAX = 0x7FFFFFFF; + if ((EAS_I32) len > (EAS_I32_MAX - pos)) { + ALOGE("b/68953854 SMF_ParseMetaEvent, too large len = %ld\n", (EAS_I32) len); + return EAS_ERROR_FILE_FORMAT; + } + pos += (EAS_I32) len; /* end of track? */ |