diff options
| author | Robert Shih <robertshih@google.com> | 2017-12-01 11:48:35 -0800 |
|---|---|---|
| committer | Dobroslaw Kijowski <dobo90@gmail.com> | 2018-02-08 12:31:13 +0100 |
| commit | 28f3d88e180c18b76f07e33ee4f3b27c2a57fd2b (patch) | |
| tree | 2a40eabb395ed5bac391f0104e2ca3b38fef2fcc | |
| parent | 9174dd42e8e10b9b4d4cbcae9955e117b45ee59e (diff) | |
| download | android_external_sonivox-28f3d88e180c18b76f07e33ee4f3b27c2a57fd2b.tar.gz android_external_sonivox-28f3d88e180c18b76f07e33ee4f3b27c2a57fd2b.tar.bz2 android_external_sonivox-28f3d88e180c18b76f07e33ee4f3b27c2a57fd2b.zip | |
Add recursion limit to XMF_ReadNode
Bug: 68160703
Test: stagefright poc.xmf
Change-Id: I1ed8cbbfaf2f26e9d3679898a62669da87a2251d
(cherry picked from commit 781ff001b9e734dd4297765b6b0d15f391cb06d9)
| -rw-r--r-- | arm-wt-22k/lib_src/eas_xmf.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c index 169eb7e..07ee8f7 100644 --- a/arm-wt-22k/lib_src/eas_xmf.c +++ b/arm-wt-22k/lib_src/eas_xmf.c @@ -67,7 +67,7 @@ static EAS_RESULT XMF_Resume (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData); static EAS_RESULT XMF_SetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 value); static EAS_RESULT XMF_GetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 *pValue); static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData); -static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength); +static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth); static EAS_RESULT XMF_ReadVLQ (EAS_HW_DATA_HANDLE hwInstData, EAS_FILE_HANDLE fileHandle, EAS_I32 *value); @@ -504,6 +504,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT EAS_RESULT result; EAS_I32 value; EAS_I32 length; + EAS_I32 node_depth = 0 ; /* initialize offsets */ pXMFData->dlsOffset = pXMFData->midiOffset = 0; @@ -521,7 +522,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT /* get TreeStart offset and jump to it */ if ((result = XMF_ReadVLQ(hwInstData, pXMFData->fileHandle, &value)) != EAS_SUCCESS) return result; - if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length)) != EAS_SUCCESS) + if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length, node_depth)) != EAS_SUCCESS) return result; /* check for SMF data */ @@ -552,7 +553,7 @@ static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DAT * *---------------------------------------------------------------------------- */ -static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength) +static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth) { EAS_RESULT result; EAS_I32 refType; @@ -562,6 +563,10 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD EAS_I32 headerLength; EAS_U32 chunkType; + /* check the depth of current node*/ + if ( depth > 100 ) + return EAS_ERROR_FILE_FORMAT; + /* seek to start of node */ if ((result = EAS_HWFileSeek(hwInstData, pXMFData->fileHandle, nodeOffset)) != EAS_SUCCESS) return result; @@ -656,7 +661,7 @@ static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFD return EAS_ERROR_FILE_FORMAT; } - if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS) + if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length, depth+1)) != EAS_SUCCESS) return result; /* seek to start of next item */ |