commit 8c30e87f16fefc68b467e591f6734100335e935d
author android-build-team Robot <android-build-team-robot@google.com> Sun May 14 07:21:30 2017 +0000
committer android-build-team Robot <android-build-team-robot@google.com> Sun May 14 07:21:30 2017 +0000
tree e8252bd5e3ee966b78ded82801564cce09eeec01
parent 5f76661d4276b58d3b001c31addbf004feaec775
parent 586ae06666233be941267145b5d17947668cd636

release-request-951b3a8b-6c0c-4d2e-8af4-1c3f7e209f66-for-git_oc-release-4006899 snap-temp-L39600000063784275

Change-Id: Ie342b885405ba9df769f55086b21d793f02c1cfa

arm-wt-22k/lib_src/eas_mdls.c

diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 688de6e..5b736c6 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -787,6 +787,11 @@
     if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, pSize, EAS_FALSE)) != EAS_SUCCESS)
         return result;
 
+    if (*pSize < 0) {
+        ALOGE("b/37093318");
+        return EAS_ERROR_FILE_FORMAT;
+    }
+
     /* get form type for RIFF and LIST types */
     if ((*pChunkType == CHUNK_RIFF) || (*pChunkType == CHUNK_LIST))
     {

arm-wt-22k/lib_src/eas_xmf.c

diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 830b6e5..169eb7e 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -27,6 +27,8 @@
  *----------------------------------------------------------------------------
 */
 
+#include <log/log.h>
+
 #include "eas_data.h"
 #include "eas_miditypes.h"
 #include "eas_parser.h"
@@ -649,6 +651,11 @@
         for ( ; numItems > 0; numItems--)
         {
             /* process this item */
+            if (offset <= nodeOffset) {
+                ALOGE("b/36725407: parser did not advance");
+                return EAS_ERROR_FILE_FORMAT;
+            }
+
             if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS)
                 return result;