diff options
authorPhil Burk <>2018-08-18 11:52:03 -0700
committerTim Schumacher <>2019-01-15 17:36:09 +0100
commit33f6259be06d2a524689cf28c7f1a152664733da (patch)
parente59440fb2a99026b5e033347e925e8ade2d61a05 (diff)
A security patch that was trying to detect infinite loops was accidentally rejecting very large MIDI files. This is because there is a scanning pass that looks at the entire file. That was generating a very high eventCount. With this change, we do not check event counts during the scanning pass. Bug: 112735915 Bug: 112575219 Bug: 68664359 Test: Generate a MIDI files with more than 50000 events. Test: There are some in b/112735915 and b/112575219 Test: mmma frameworks/av/cmds/stagefright Test: adb push out/target/product/marlin/system/bin/stagefright /system/bin/. Test: adb shell stagefright -a /sdcard/Download/verybigfile.mid Test: It should play correctly and not abort. Change-Id: Iddf2f5b178e9ca3867b14fcd78d538023d79240d Merged-In: Iddf2f5b178e9ca3867b14fcd78d538023d79240d (cherry picked from commit 123051dd0271ac0f245cb88c38878c6b21880632)
1 files changed, 10 insertions, 5 deletions
diff --git a/arm-wt-22k/lib_src/eas_public.c b/arm-wt-22k/lib_src/eas_public.c
index abb8135..b5ec176 100644
--- a/arm-wt-22k/lib_src/eas_public.c
+++ b/arm-wt-22k/lib_src/eas_public.c
@@ -1248,12 +1248,13 @@ static EAS_RESULT EAS_ParseEvents (S_EAS_DATA *pEASData, EAS_HANDLE pStream, EAS
EAS_BOOL done;
EAS_U32 time = 0;
// This constant is the maximum number of events that can be processed in a single time slice.
// A typical ringtone will contain a few events per time slice.
// Extremely dense ringtones might go up to 50 events.
// If we see this many events then the file is probably stuck in an infinite loop
- // and should be aborted. In our testing, it took less than 100 msec to hit this limit.
- static const EAS_INT MAX_EVENT_COUNT = 50000;
+ // and should be aborted.
+ static const EAS_INT MAX_EVENT_COUNT = 100000;
EAS_INT eventCount = 0;
/* does this parser have a time function? */
@@ -1309,10 +1310,14 @@ static EAS_RESULT EAS_ParseEvents (S_EAS_DATA *pEASData, EAS_HANDLE pStream, EAS
return result;
- // An infinite loop within a single frame of a ringtone file can cause this function
+ // An infinite loop within a ringtone file can cause this function
// to loop forever. Try to detect that and return an error.
- if (++eventCount >= MAX_EVENT_COUNT) {
- ALOGE("%s() aborting, %d events without advancing to next frame",
+ // Only check when playing. Otherwise a very large file could be rejected
+ // when scanning the entire file in a single call to this function.
+ // OTA files will only do infinite loops when in eParserModePlay.
+ if (++eventCount >= MAX_EVENT_COUNT && parseMode == eParserModePlay) {
+ ALOGE("%s() aborting, %d events. Infinite loop in song file?!",
__func__, eventCount);
android_errorWriteLog(0x534e4554, "68664359");