Merge cherrypicks of [2315763, 2315554, 2315573, 2315765, 2315712, 2315595, 2315713, 2315746, 2315786, 2315799, 2315576, 2315800, 2315673, 2315821, 2315578, 2315597, 2315633, 2315598, 2315769, 2315716, 2315634, 2315823, 2315801, 2315636, 2315717, 2315772, 2315753, 2315803, 2315638, 2315840, 2315841, 2315842, 2315824, 2315791, 2315879, 2315804, 2315827, 2315863, 2315792, 2315864, 2315755, 2315882, 2315756, 2315828, 2315793, 2315865, 2315883, 2315899, 2315885, 2315796, 2315869, 2315923, 2315924, 2315943] into nyc-mr1-security-e-release
Change-Id: I691f66a3d3c3dffd8a1c1be6dc8ebc5b70ff5389
diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 296d783..8097ba4 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -785,6 +785,11 @@
if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, pSize, EAS_FALSE)) != EAS_SUCCESS)
return result;
+ if (*pSize < 0) {
+ ALOGE("b/37093318");
+ return EAS_ERROR_FILE_FORMAT;
+ }
+
/* get form type for RIFF and LIST types */
if ((*pChunkType == CHUNK_RIFF) || (*pChunkType == CHUNK_LIST))
{
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 830b6e5..169eb7e 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -27,6 +27,8 @@
*----------------------------------------------------------------------------
*/
+#include <log/log.h>
+
#include "eas_data.h"
#include "eas_miditypes.h"
#include "eas_parser.h"
@@ -649,6 +651,11 @@
for ( ; numItems > 0; numItems--)
{
/* process this item */
+ if (offset <= nodeOffset) {
+ ALOGE("b/36725407: parser did not advance");
+ return EAS_ERROR_FILE_FORMAT;
+ }
+
if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS)
return result;
