summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Shih <robertshih@google.com>2017-12-01 19:48:35 (GMT)
committerIvan Kutepov <its.kutepov@gmail.com>2018-02-07 23:28:44 (GMT)
commitdcdae85f0f9f0d8223d6e7b63b96f561503ab648 (patch)
treeb4f80f57fceb0d23c45e021124d54e6b2835e395
parent145a08c5cc269a7fb3bc9deeb3a1578e42ec5e34 (diff)
downloadandroid_external_sonivox-dcdae85f0f9f0d8223d6e7b63b96f561503ab648.zip
android_external_sonivox-dcdae85f0f9f0d8223d6e7b63b96f561503ab648.tar.gz
android_external_sonivox-dcdae85f0f9f0d8223d6e7b63b96f561503ab648.tar.bz2
Add recursion limit to XMF_ReadNode
Bug: 68160703 Test: stagefright poc.xmf Change-Id: I1ed8cbbfaf2f26e9d3679898a62669da87a2251d (cherry picked from commit 781ff001b9e734dd4297765b6b0d15f391cb06d9) CVE-2017-13229
-rw-r--r--arm-wt-22k/lib_src/eas_xmf.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 169eb7e..07ee8f7 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -67,7 +67,7 @@ static EAS_RESULT XMF_Resume (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData);
static EAS_RESULT XMF_SetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 value);
static EAS_RESULT XMF_GetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 *pValue);
static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData);
-static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength);
+static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth);
static EAS_RESULT XMF_ReadVLQ (EAS_HW_DATA_HANDLE hwInstData, EAS_FILE_HANDLE fileHandle, EAS_I32 *value);
@@ -504,6 +504,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT
EAS_RESULT result;
EAS_I32 value;
EAS_I32 length;
+ EAS_I32 node_depth = 0 ;
/* initialize offsets */
pXMFData->dlsOffset = pXMFData->midiOffset = 0;
@@ -521,7 +522,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT
/* get TreeStart offset and jump to it */
if ((result = XMF_ReadVLQ(hwInstData, pXMFData->fileHandle, &value)) != EAS_SUCCESS)
return result;
- if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length)) != EAS_SUCCESS)
+ if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length, node_depth)) != EAS_SUCCESS)
return result;
/* check for SMF data */
@@ -552,7 +553,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT
*
*----------------------------------------------------------------------------
*/
-static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength)
+static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth)
{
EAS_RESULT result;
EAS_I32 refType;
@@ -562,6 +563,10 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD
EAS_I32 headerLength;
EAS_U32 chunkType;
+ /* check the depth of current node*/
+ if ( depth > 100 )
+ return EAS_ERROR_FILE_FORMAT;
+
/* seek to start of node */
if ((result = EAS_HWFileSeek(hwInstData, pXMFData->fileHandle, nodeOffset)) != EAS_SUCCESS)
return result;
@@ -656,7 +661,7 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD
return EAS_ERROR_FILE_FORMAT;
}
- if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS)
+ if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length, depth+1)) != EAS_SUCCESS)
return result;
/* seek to start of next item */