diff options
| author | Marco Nelissen <marcone@google.com> | 2017-05-11 15:17:42 -0700 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2017-07-07 21:00:43 +0200 |
| commit | 6545e18d849aad7ffef12ad97aa886d218084bbc (patch) | |
| tree | db7d0c416de1b35cf6c3d4b0eab464e4a29709b5 | |
| parent | f7b1abeb6bfd9eb404be641ea347cf2b1198140e (diff) | |
| download | android_external_sonivox-6545e18d849aad7ffef12ad97aa886d218084bbc.tar.gz android_external_sonivox-6545e18d849aad7ffef12ad97aa886d218084bbc.tar.bz2 android_external_sonivox-6545e18d849aad7ffef12ad97aa886d218084bbc.zip | |
Fix infinite recursion
Bug: 36725407
Test: decoded poc and other files with and without fix
AOSP-Change-Id: I9e23b2dbf133321bb01ae47c39761e17e46bd846
(cherry picked from commit ede62341663cf356edb20e3d14424aec767ea66b)
CVE-2017-0692
Change-Id: I72d0426fc73b390b31b152709ab2e810076827ee
| -rw-r--r-- | arm-wt-22k/lib_src/eas_xmf.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c index 05b329e..5b398c4 100644 --- a/arm-wt-22k/lib_src/eas_xmf.c +++ b/arm-wt-22k/lib_src/eas_xmf.c @@ -27,6 +27,8 @@ *---------------------------------------------------------------------------- */ +#include <log/log.h> + #include "eas_data.h" #include "eas_miditypes.h" #include "eas_parser.h" @@ -646,6 +648,11 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD for ( ; numItems > 0; numItems--) { /* process this item */ + if (offset <= nodeOffset) { + ALOGE("b/36725407: parser did not advance"); + return EAS_ERROR_FILE_FORMAT; + } + if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS) return result; |