From e43e8adbc6a3b3f5c27a7e9090c5f3e55f1426a8 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 11 May 2017 14:43:54 -0700
Subject: Check chunk size

to make sure we actually advance in the file

Bug: 37093318
Test: decoded poc and other files with and without change
AOSP-Change-Id: I94cf65336ce4132c17c39b651dc520264f02a704
(cherry picked from commit f01750adb0558d1885c7d5a5c8900d2187d0d38d)
CVE-2017-0694

Change-Id: I3627f73dccfbb04dd744475c96e5532302b8196a
---
 arm-wt-22k/lib_src/eas_mdls.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'arm-wt-22k/lib_src/eas_mdls.c')

diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 6da1207..79dd01d 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -791,6 +791,11 @@ static EAS_RESULT NextChunk (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 *pPos, EAS
     if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, pSize, EAS_FALSE)) != EAS_SUCCESS)
         return result;
 
+    if (*pSize < 0) {
+        ALOGE("b/37093318");
+        return EAS_ERROR_FILE_FORMAT;
+    }
+
     /* get form type for RIFF and LIST types */
     if ((*pChunkType == CHUNK_RIFF) || (*pChunkType == CHUNK_LIST))
     {
-- 
cgit v1.2.3