From e999f077f6ef59d20282f1e04786816a31fb8be6 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Thu, 14 May 2015 09:10:40 -0700 Subject: DLS parser: fix wave pool size check. Bug: 21132860. Change-Id: I8ae872ea2cc2e8fec5fa0b7815f0b6b31ce744ff (cherry picked from commit 2d7f8e1be2241e48458f5d3cab5e90be2b07c699) --- arm-wt-22k/lib_src/eas_mdls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c index e8dc463..51cce70 100644 --- a/arm-wt-22k/lib_src/eas_mdls.c +++ b/arm-wt-22k/lib_src/eas_mdls.c @@ -938,7 +938,7 @@ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ } // limit to reasonable size - if (dataSize > MAX_DLS_WAVE_SIZE) + if (dataSize < 0 || dataSize > MAX_DLS_WAVE_SIZE) { return EAS_ERROR_SOUND_LIBRARY; } -- cgit v1.2.3 From 0c3f41e87fba16c56a53be372b165d18ab57e0fd Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 19 Aug 2015 15:08:13 -0700 Subject: Check segments and libs Bug: 23286323 Change-Id: I95ee385d0fb1503a4ce5a96e30d034ac8b81170e --- arm-wt-22k/lib_src/jet.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/jet.c b/arm-wt-22k/lib_src/jet.c index 97672cf..2f1541f 100644 --- a/arm-wt-22k/lib_src/jet.c +++ b/arm-wt-22k/lib_src/jet.c @@ -282,10 +282,16 @@ static EAS_RESULT JetParseInfoChunk (EAS_DATA_HANDLE easHandle, EAS_I32 pos, EAS switch (infoType) { case INFO_NUM_SMF_CHUNKS: + if (temp >= JET_MAX_SEGMENTS) { + return EAS_ERROR_INCOMPATIBLE_VERSION; + } easHandle->jetHandle->numSegments = (EAS_U8) temp; break; case INFO_NUM_DLS_CHUNKS: + if (temp >= JET_MAX_DLS_COLLECTIONS) { + return EAS_ERROR_INCOMPATIBLE_VERSION; + } easHandle->jetHandle->numLibraries = (EAS_U8) temp; break; -- cgit v1.2.3 From bca9c895f4aaab4d84cf3b8f96a7d23e2b77b08f Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Thu, 20 Aug 2015 16:25:04 -0700 Subject: Sonivox: make sure waveIndex is valid in Parse_rgn() in eas_mdls.c. Bug: 23335715 Change-Id: I4a5522c46dcda9285db1f830337aa2642ddc4fd1 (cherry picked from commit 99e0e2e2c1fd0f895b6d4bdf0a85798cf044218e) --- arm-wt-22k/lib_src/eas_mdls.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c index 51cce70..d66c734 100644 --- a/arm-wt-22k/lib_src/eas_mdls.c +++ b/arm-wt-22k/lib_src/eas_mdls.c @@ -1676,6 +1676,10 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I /* parse wlnk chunk */ if ((result = Parse_wlnk(pDLSData, wlnkPos, &waveIndex)) != EAS_SUCCESS) return result; + if (waveIndex >= pDLSData->waveCount) + { + return EAS_FAILURE; + } pWsmp = &pDLSData->wsmpData[waveIndex]; /* if there is any articulation data, parse it */ -- cgit v1.2.3 From 92777226a87ffe7c574797263d5a4f7113df05b7 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Thu, 20 Aug 2015 16:03:14 -0700 Subject: Sonivox: fix overflow in Parse_data in eas_mdls.c Bug: 23307276 Change-Id: Iea56eae9a1855b41840f8d814717fe6379c5bb4d --- arm-wt-22k/lib_src/eas_mdls.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c index d66c734..f260c05 100644 --- a/arm-wt-22k/lib_src/eas_mdls.c +++ b/arm-wt-22k/lib_src/eas_mdls.c @@ -139,6 +139,14 @@ extern double log10(double x); #define DLS_MAX_INST_COUNT 256 #define MAX_DLS_WAVE_SIZE (1024*1024) +#ifndef EAS_U32_MAX +#define EAS_U32_MAX (4294967295U) +#endif + +#ifndef EAS_I32_MAX +#define EAS_I32_MAX (2147483647) +#endif + /*------------------------------------ * typedefs *------------------------------------ @@ -1126,6 +1134,14 @@ static EAS_RESULT Parse_wsmp (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WS /* get loop length */ if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &p->loopLength, EAS_FALSE)) != EAS_SUCCESS) return result; + + /* ensure no overflow */ + if (p->loopLength + && ((p->loopStart > EAS_U32_MAX - p->loopLength) + || (p->loopStart + p->loopLength > EAS_U32_MAX / sizeof(EAS_SAMPLE)))) + { + return EAS_FAILURE; + } } return EAS_SUCCESS; @@ -1272,7 +1288,15 @@ static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ /* for looped samples, copy the last sample to the end */ if (pWsmp->loopLength) + { + if (pDLSData->wavePoolSize < sizeof(EAS_SAMPLE) + || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > pDLSData->wavePoolSize - sizeof(EAS_SAMPLE)) + { + return EAS_FAILURE; + } + pSample[pWsmp->loopStart + pWsmp->loopLength] = pSample[pWsmp->loopStart]; + } return EAS_SUCCESS; } -- cgit v1.2.3 From b022acbcd0695ec7a6d27a1093875304981fa84e Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Fri, 21 Aug 2015 13:41:42 -0700 Subject: Sonivox: check loopStart/loopLength against one specific wave, not whole wave pool. Bug: 23307276 Change-Id: I4c2644feb42c8455be63e48a12ebfc62313cf4cf (cherry picked from commit 9cf7e8775823c4e136a9841d41dcdb5fe4f98173) --- arm-wt-22k/lib_src/eas_mdls.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c index f260c05..b08e24e 100644 --- a/arm-wt-22k/lib_src/eas_mdls.c +++ b/arm-wt-22k/lib_src/eas_mdls.c @@ -416,7 +416,7 @@ static EAS_RESULT Parse_ptbl (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_U16 waveIndex); static EAS_RESULT Parse_wsmp (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSMP_DATA *p); static EAS_RESULT Parse_fmt (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSMP_DATA *p); -static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *p, EAS_SAMPLE *pSample); +static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *p, EAS_SAMPLE *pSample, EAS_U32 sampleLen); static EAS_RESULT Parse_lins(SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size); static EAS_RESULT Parse_ins (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size); static EAS_RESULT Parse_insh (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_U32 *pRgnCount, EAS_U32 *pLocale); @@ -1031,7 +1031,7 @@ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ } /* allocate memory and read in the sample data */ - pSample = pDLSData->pDLS->pDLSSamples + pDLSData->wavePoolOffset; + pSample = (EAS_U8*)pDLSData->pDLS->pDLSSamples + pDLSData->wavePoolOffset; pDLSData->pDLS->pDLSSampleOffsets[waveIndex] = pDLSData->wavePoolOffset; pDLSData->pDLS->pDLSSampleLen[waveIndex] = (EAS_U32) size; pDLSData->wavePoolOffset += (EAS_U32) size; @@ -1041,7 +1041,7 @@ static EAS_RESULT Parse_wave (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ return EAS_ERROR_SOUND_LIBRARY; } - if ((result = Parse_data(pDLSData, dataPos, dataSize, p, pSample)) != EAS_SUCCESS) + if ((result = Parse_data(pDLSData, dataPos, dataSize, p, pSample, (EAS_U32)size)) != EAS_SUCCESS) return result; return EAS_SUCCESS; @@ -1233,7 +1233,7 @@ static EAS_RESULT Parse_fmt (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, S_WSM * *---------------------------------------------------------------------------- */ -static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *pWsmp, EAS_SAMPLE *pSample) +static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I32 size, S_WSMP_DATA *pWsmp, EAS_SAMPLE *pSample, EAS_U32 sampleLen) { EAS_RESULT result; EAS_U8 convBuf[SAMPLE_CONVERT_CHUNK_SIZE]; @@ -1289,8 +1289,8 @@ static EAS_RESULT Parse_data (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_ /* for looped samples, copy the last sample to the end */ if (pWsmp->loopLength) { - if (pDLSData->wavePoolSize < sizeof(EAS_SAMPLE) - || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > pDLSData->wavePoolSize - sizeof(EAS_SAMPLE)) + if (sampleLen < sizeof(EAS_SAMPLE) + || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > sampleLen - sizeof(EAS_SAMPLE)) { return EAS_FAILURE; } @@ -1746,6 +1746,17 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I } Convert_rgn(pDLSData, regionIndex, artIndex, (EAS_U16) waveIndex, pWsmp); + + /* ensure loopStart and loopEnd fall in the range */ + if (pWsmp->loopLength != 0) + { + EAS_U32 sampleLen = pDLSData->pDLS->pDLSSampleLen[waveIndex]; + if (sampleLen < sizeof(EAS_SAMPLE) + || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > sampleLen - sizeof(EAS_SAMPLE)) + { + return EAS_FAILURE; + } + } } /* if local articulation, bump count */ -- cgit v1.2.3 From 047330f1c245bcb3641856a6adabfc344d6e3c36 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Tue, 5 Jan 2016 10:16:24 -0800 Subject: Sonivox: sanity check numSamples. Bug: 26366256 Change-Id: I066888c25035ea4c60c88f316db4508dc4dab6bc --- arm-wt-22k/lib_src/eas_wtengine.c | 26 ++++++++++++++++++++++++++ arm-wt-22k/lib_src/eas_wtsynth.c | 6 ++++++ 2 files changed, 32 insertions(+) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c index 224f60d..e7263fd 100644 --- a/arm-wt-22k/lib_src/eas_wtengine.c +++ b/arm-wt-22k/lib_src/eas_wtengine.c @@ -32,6 +32,8 @@ * includes *------------------------------------ */ +#include "log/log.h" + #include "eas_types.h" #include "eas_math.h" #include "eas_audioconst.h" @@ -88,6 +90,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) /* initialize some local variables */ numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pMixBuffer = pWTIntFrame->pMixBuffer; pInputBuffer = pWTIntFrame->pAudioBuffer; @@ -182,6 +188,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) /* initialize some local variables */ numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pOutputBuffer = pWTIntFrame->pAudioBuffer; loopEnd = (const EAS_SAMPLE*) pWTVoice->loopEnd + 1; @@ -275,6 +285,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) /* initialize some local variables */ numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pOutputBuffer = pWTIntFrame->pAudioBuffer; phaseInc = pWTIntFrame->frame.phaseIncrement; @@ -363,6 +377,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) /* initialize some local variables */ numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pAudioBuffer = pWTIntFrame->pAudioBuffer; z1 = pFilter->z1; @@ -426,6 +444,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) /* initialize some local variables */ numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pOutputBuffer = pWTIntFrame->pAudioBuffer; phaseInc = pWTIntFrame->frame.phaseIncrement; @@ -569,6 +591,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) EAS_I8 *pLoopStart; numSamples = pWTIntFrame->numSamples; + if (numSamples <= 0) { + ALOGE("b/26366256"); + return; + } pMixBuffer = pWTIntFrame->pMixBuffer; /* calculate gain increment */ diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c index 45cf4b1..25a70db 100644 --- a/arm-wt-22k/lib_src/eas_wtsynth.c +++ b/arm-wt-22k/lib_src/eas_wtsynth.c @@ -28,6 +28,8 @@ */ // includes +#include "log/log.h" + #include "eas_data.h" #include "eas_report.h" #include "eas_host.h" @@ -467,6 +469,10 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E } else { pWTIntFrame->numSamples = numSamples; } + if (pWTIntFrame->numSamples < 0) { + ALOGE("b/26366256"); + pWTIntFrame->numSamples = 0; + } /* sound will be done this frame */ done = EAS_TRUE; -- cgit v1.2.3 From 8e618348f91aaedc59d1d14c14d1f3eaf1e4c103 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Tue, 12 Jan 2016 10:37:30 -0800 Subject: Sonivox: add SafetyNet log. Bug: 26366256 Change-Id: Ief72e01b7cc6d87a015105af847a99d3d9b03cb0 --- arm-wt-22k/lib_src/eas_wtengine.c | 7 +++++++ arm-wt-22k/lib_src/eas_wtsynth.c | 2 ++ 2 files changed, 9 insertions(+) (limited to 'arm-wt-22k/lib_src') diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c index e7263fd..854d4b4 100644 --- a/arm-wt-22k/lib_src/eas_wtengine.c +++ b/arm-wt-22k/lib_src/eas_wtengine.c @@ -33,6 +33,7 @@ *------------------------------------ */ #include "log/log.h" +#include #include "eas_types.h" #include "eas_math.h" @@ -92,6 +93,7 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pMixBuffer = pWTIntFrame->pMixBuffer; @@ -190,6 +192,7 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pOutputBuffer = pWTIntFrame->pAudioBuffer; @@ -287,6 +290,7 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pOutputBuffer = pWTIntFrame->pAudioBuffer; @@ -379,6 +383,7 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pAudioBuffer = pWTIntFrame->pAudioBuffer; @@ -446,6 +451,7 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pOutputBuffer = pWTIntFrame->pAudioBuffer; @@ -593,6 +599,7 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) numSamples = pWTIntFrame->numSamples; if (numSamples <= 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); return; } pMixBuffer = pWTIntFrame->pMixBuffer; diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c index 25a70db..9257951 100644 --- a/arm-wt-22k/lib_src/eas_wtsynth.c +++ b/arm-wt-22k/lib_src/eas_wtsynth.c @@ -29,6 +29,7 @@ // includes #include "log/log.h" +#include #include "eas_data.h" #include "eas_report.h" @@ -471,6 +472,7 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E } if (pWTIntFrame->numSamples < 0) { ALOGE("b/26366256"); + android_errorWriteLog(0x534e4554, "26366256"); pWTIntFrame->numSamples = 0; } -- cgit v1.2.3