summaryrefslogtreecommitdiffstats
path: root/arm-wt-22k/lib_src
diff options
context:
space:
mode:
authorWei Jia <wjia@google.com>2015-08-26 02:07:10 (GMT)
committerIvan Kutepov <its.kutepov@gmail.com>2018-02-07 23:28:43 (GMT)
commitffaf075e5fa8155312bbaddffa73f3fe272566d8 (patch)
tree70ff4e031c5c694505f7e1f55d2add791dcca449 /arm-wt-22k/lib_src
parent4fa4fd30aaa57a857384cef9bfa87d8846304dff (diff)
downloadandroid_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.zip
android_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.tar.gz
android_external_sonivox-ffaf075e5fa8155312bbaddffa73f3fe272566d8.tar.bz2
Sonivox: sanity check headerLength in XMF_ReadNode.
Bug: 23342881 Bug: 35472997 Change-Id: I025338c5f0b39cac89ad786afc69cf085e830568 (cherry picked from commit eefb545f69f6ae1e8b32150dd9a28b73cc751f17) CVE-2017-0644
Diffstat (limited to 'arm-wt-22k/lib_src')
-rw-r--r--arm-wt-22k/lib_src/eas_xmf.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 5b398c4..169eb7e 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -586,6 +586,9 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD
if ((result = EAS_HWFilePos(hwInstData, pXMFData->fileHandle, &offset)) != EAS_SUCCESS)
return result;
+ if (offset - nodeOffset > headerLength)
+ return EAS_FAILURE;
+
/* skip to node contents */
if ((result = EAS_HWFileSeek(hwInstData, pXMFData->fileHandle, nodeOffset + headerLength)) != EAS_SUCCESS)
return result;