Merge tag 'android-5.1.1_r23' into cm-12.1

Android 5.1.1 release 23

2 files changed, 49 insertions, 4 deletions

diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 53d8882..a510b80 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -139,6 +139,14 @@ extern double log10(double x);
 #define DLS_MAX_INST_COUNT      256
 #define MAX_DLS_WAVE_SIZE       (1024*1024)
 
+#ifndef EAS_U32_MAX
+#define EAS_U32_MAX             (4294967295U)
+#endif
+
+#ifndef EAS_I32_MAX
+#define EAS_I32_MAX             (2147483647)
+#endif
+
 /*------------------------------------
  * typedefs
  *------------------------------------
@@ -408,7 +416,7 @@ static EAS_RESULT Parse_ptbl (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
 static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_U16 waveIndex);
 static EAS_RESULT Parse_wsmp (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSMP_DATA *p);
 static EAS_RESULT Parse_fmt (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSMP_DATA *p);
-static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *p, EAS_SAMPLE *pSample);
+static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *p, EAS_SAMPLE *pSample, EAS_U32 sampleLen);
 static EAS_RESULT Parse_lins(SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size);
 static EAS_RESULT Parse_ins (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size);
 static EAS_RESULT Parse_insh (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_U32 *pRgnCount, EAS_U32 *pLocale);
@@ -1029,7 +1037,7 @@ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
     }
 
     /* allocate memory and read in the sample data */
-    pSample = pDLSData->pDLS->pDLSSamples + pDLSData->wavePoolOffset;
+    pSample = (EAS_U8*)pDLSData->pDLS->pDLSSamples + pDLSData->wavePoolOffset;
     pDLSData->pDLS->pDLSSampleOffsets[waveIndex] = pDLSData->wavePoolOffset;
     pDLSData->pDLS->pDLSSampleLen[waveIndex] = (EAS_U32) size;
     pDLSData->wavePoolOffset += (EAS_U32) size;
@@ -1039,7 +1047,7 @@ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
         return EAS_ERROR_SOUND_LIBRARY;
     }
 
-    if ((result = Parse_data(pDLSData, dataPos, dataSize, p, pSample)) != EAS_SUCCESS)
+    if ((result = Parse_data(pDLSData, dataPos, dataSize, p, pSample, (EAS_U32)size)) != EAS_SUCCESS)
         return result;
 
     return EAS_SUCCESS;
@@ -1132,6 +1140,14 @@ static EAS_RESULT Parse_wsmp (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WS
         /* get loop length */
         if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &p->loopLength, EAS_FALSE)) != EAS_SUCCESS)
             return result;
+
+        /* ensure no overflow */
+        if (p->loopLength
+            && ((p->loopStart > EAS_U32_MAX - p->loopLength)
+                || (p->loopStart + p->loopLength > EAS_U32_MAX / sizeof(EAS_SAMPLE))))
+        {
+            return EAS_FAILURE;
+        }
     }
 
     return EAS_SUCCESS;
@@ -1223,7 +1239,7 @@ static EAS_RESULT Parse_fmt (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSM
  *
  *----------------------------------------------------------------------------
 */
-static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *pWsmp, EAS_SAMPLE *pSample)
+static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *pWsmp, EAS_SAMPLE *pSample, EAS_U32 sampleLen)
 {
     EAS_RESULT result;
     EAS_U8 convBuf[SAMPLE_CONVERT_CHUNK_SIZE];
@@ -1278,7 +1294,15 @@ static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
 
     /* for looped samples, copy the last sample to the end */
     if (pWsmp->loopLength)
+    {
+        if (sampleLen < sizeof(EAS_SAMPLE)
+            || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > sampleLen - sizeof(EAS_SAMPLE))
+        {
+            return EAS_FAILURE;
+        }
+
         pSample[pWsmp->loopStart + pWsmp->loopLength] = pSample[pWsmp->loopStart];
+    }
 
     return EAS_SUCCESS;
 }
@@ -1682,6 +1706,10 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I
     /* parse wlnk chunk */
     if ((result = Parse_wlnk(pDLSData, wlnkPos, &waveIndex)) != EAS_SUCCESS)
         return result;
+    if (waveIndex >= pDLSData->waveCount)
+    {
+        return EAS_FAILURE;
+    }
     pWsmp = &pDLSData->wsmpData[waveIndex];
 
     /* if there is any articulation data, parse it */
@@ -1724,6 +1752,17 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I
         }
 
         Convert_rgn(pDLSData, regionIndex, artIndex, (EAS_U16) waveIndex, pWsmp);
+
+        /* ensure loopStart and loopEnd fall in the range */
+        if (pWsmp->loopLength != 0)
+        {
+            EAS_U32 sampleLen = pDLSData->pDLS->pDLSSampleLen[waveIndex];
+            if (sampleLen < sizeof(EAS_SAMPLE)
+                || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > sampleLen - sizeof(EAS_SAMPLE))
+            {
+                return EAS_FAILURE;
+            }
+        }
     }
 
     /* if local articulation, bump count */
diff --git a/arm-wt-22k/lib_src/jet.c b/arm-wt-22k/lib_src/jet.c
index 97672cf..2f1541f 100644
--- a/arm-wt-22k/lib_src/jet.c
+++ b/arm-wt-22k/lib_src/jet.c
@@ -282,10 +282,16 @@ static EAS_RESULT JetParseInfoChunk (EAS_DATA_HANDLE easHandle, EAS_I32 pos, EAS
         switch (infoType)
         {
             case INFO_NUM_SMF_CHUNKS:
+                if (temp >= JET_MAX_SEGMENTS) {
+                    return EAS_ERROR_INCOMPATIBLE_VERSION;
+                }
                 easHandle->jetHandle->numSegments = (EAS_U8) temp;
                 break;
 
             case INFO_NUM_DLS_CHUNKS:
+                if (temp >= JET_MAX_DLS_COLLECTIONS) {
+                    return EAS_ERROR_INCOMPATIBLE_VERSION;
+                }
                 easHandle->jetHandle->numLibraries = (EAS_U8) temp;
                 break;