diff options
author | Wei Jia <wjia@google.com> | 2015-08-25 19:07:10 -0700 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2018-02-08 02:28:43 +0300 |
commit | ffaf075e5fa8155312bbaddffa73f3fe272566d8 (patch) | |
tree | 70ff4e031c5c694505f7e1f55d2add791dcca449 /arm-wt-22k/lib_src/eas_xmf.c | |
parent | 4fa4fd30aaa57a857384cef9bfa87d8846304dff (diff) | |
download | android_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.tar.gz android_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.tar.bz2 android_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.zip |
Sonivox: sanity check headerLength in XMF_ReadNode.
Bug: 23342881
Bug: 35472997
Change-Id: I025338c5f0b39cac89ad786afc69cf085e830568
(cherry picked from commit eefb545f69f6ae1e8b32150dd9a28b73cc751f17)
CVE-2017-0644
Diffstat (limited to 'arm-wt-22k/lib_src/eas_xmf.c')
-rw-r--r-- | arm-wt-22k/lib_src/eas_xmf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c index 5b398c4..169eb7e 100644 --- a/arm-wt-22k/lib_src/eas_xmf.c +++ b/arm-wt-22k/lib_src/eas_xmf.c @@ -586,6 +586,9 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD if ((result = EAS_HWFilePos(hwInstData, pXMFData->fileHandle, &offset)) != EAS_SUCCESS) return result; + if (offset - nodeOffset > headerLength) + return EAS_FAILURE; + /* skip to node contents */ if ((result = EAS_HWFileSeek(hwInstData, pXMFData->fileHandle, nodeOffset + headerLength)) != EAS_SUCCESS) return result; |