summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWei Jia <wjia@google.com>2015-08-21 20:26:35 +0000
committerAndroid Git Automerger <android-git-automerger@android.com>2015-08-21 20:26:35 +0000
commit70942a9711aa8afb0d9770ffde42c2e784cb21e3 (patch)
tree7c5b011db9104aa0252116461e631db262a94015
parent892c138acd55a3080cf2c9cdd2b9aa8c51e58e54 (diff)
parent37ede8b5404f89e496638be92c83fec51d2b60e9 (diff)
downloadandroid_external_sonivox-70942a9711aa8afb0d9770ffde42c2e784cb21e3.tar.gz
android_external_sonivox-70942a9711aa8afb0d9770ffde42c2e784cb21e3.tar.bz2
android_external_sonivox-70942a9711aa8afb0d9770ffde42c2e784cb21e3.zip
am 37ede8b5: am 5d2e7de3: Sonivox: fix overflow in Parse_data in eas_mdls.c
* commit '37ede8b5404f89e496638be92c83fec51d2b60e9': Sonivox: fix overflow in Parse_data in eas_mdls.c
-rw-r--r--arm-wt-22k/lib_src/eas_mdls.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index d66c734..f260c05 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -139,6 +139,14 @@ extern double log10(double x);
#define DLS_MAX_INST_COUNT 256
#define MAX_DLS_WAVE_SIZE (1024*1024)
+#ifndef EAS_U32_MAX
+#define EAS_U32_MAX (4294967295U)
+#endif
+
+#ifndef EAS_I32_MAX
+#define EAS_I32_MAX (2147483647)
+#endif
+
/*------------------------------------
* typedefs
*------------------------------------
@@ -1126,6 +1134,14 @@ static EAS_RESULT Parse_wsmp (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WS
/* get loop length */
if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &p->loopLength, EAS_FALSE)) != EAS_SUCCESS)
return result;
+
+ /* ensure no overflow */
+ if (p->loopLength
+ && ((p->loopStart > EAS_U32_MAX - p->loopLength)
+ || (p->loopStart + p->loopLength > EAS_U32_MAX / sizeof(EAS_SAMPLE))))
+ {
+ return EAS_FAILURE;
+ }
}
return EAS_SUCCESS;
@@ -1272,7 +1288,15 @@ static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
/* for looped samples, copy the last sample to the end */
if (pWsmp->loopLength)
+ {
+ if (pDLSData->wavePoolSize < sizeof(EAS_SAMPLE)
+ || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > pDLSData->wavePoolSize - sizeof(EAS_SAMPLE))
+ {
+ return EAS_FAILURE;
+ }
+
pSample[pWsmp->loopStart + pWsmp->loopLength] = pSample[pWsmp->loopStart];
+ }
return EAS_SUCCESS;
}