summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndroid Build Merger (Role) <noreply-android-build-merger@google.com>2018-04-03 22:10:38 +0000
committerAndroid Build Merger (Role) <noreply-android-build-merger@google.com>2018-04-03 22:10:38 +0000
commit88510ce7be4ab4425bca6d17f31929d6518c786b (patch)
tree69a44620040d4973fa76ad8c8f0269e9c9300eb4
parentf4e4b72a7a7fea9c29fd2333ccc92a94fedf8e65 (diff)
parentb0081b7c5814ab402376e69993b33c9ac91fe12c (diff)
downloadsonivox-88510ce7be4ab4425bca6d17f31929d6518c786b.tar.gz
[automerger] sonivox: fix hang caused by bad meta-event am: ba9ea23466 am: 3983856ec1 am: 59644944e2 am: f3c51f7f1e am: d2901553df am: b0081b7c58
Change-Id: If0d6fbd7cc365a24e51b8b8395030fc43be192fd
Diffstat
-rw-r--r--arm-wt-22k/lib_src/eas_smf.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_smf.c b/arm-wt-22k/lib_src/eas_smf.c
index 8b54b8e..3c284eb 100644
--- a/arm-wt-22k/lib_src/eas_smf.c
+++ b/arm-wt-22k/lib_src/eas_smf.c
@@ -29,6 +29,8 @@
*----------------------------------------------------------------------------
*/
+#include "log/log.h"
+
#include "eas_data.h"
#include "eas_miditypes.h"
#include "eas_parser.h"
@@ -833,6 +835,20 @@ static EAS_RESULT SMF_ParseMetaEvent (S_EAS_DATA *pEASData, S_SMF_DATA *pSMFData
/* get the current file position so we can skip the event */
if ((result = EAS_HWFilePos(pEASData->hwInstData, pSMFStream->fileHandle, &pos)) != EAS_SUCCESS)
return result;
+
+ /* prevent a large unsigned length from being treated as a negative length */
+ if ((EAS_I32) len < 0) {
+ /* note that EAS_I32 is a long, which can be 64-bits on some computers */
+ ALOGE("b/68953854 SMF_ParseMetaEvent, negative len = %ld\n", (EAS_I32) len);
+ return EAS_ERROR_FILE_FORMAT;
+ }
+ /* prevent numeric overflow caused by a very large len, assume pos > 0 */
+ const EAS_I32 EAS_I32_MAX = 0x7FFFFFFF;
+ if ((EAS_I32) len > (EAS_I32_MAX - pos)) {
+ ALOGE("b/68953854 SMF_ParseMetaEvent, too large len = %ld\n", (EAS_I32) len);
+ return EAS_ERROR_FILE_FORMAT;
+ }
+
pos += (EAS_I32) len;
/* end of track? */
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-22 08:11:35 +0000