commit a21dab1e85bb0b21a04d3b5884d178b446336642
author Robert Shih <robertshih@google.com> Fri Dec 01 11:48:35 2017 -0800
committer Nikoli Cartagena <dargeren@google.com> Tue Jan 02 16:09:21 2018 -0800
tree 9c2b312a5e19b1adda3fa5f32de3b5b80fe87e7c
parent 09bafcdc5edeec674ea30f6ba71f7bdea883d587

Add recursion limit to XMF_ReadNode

Bug: 68160703
Test: stagefright poc.xmf
Change-Id: I1ed8cbbfaf2f26e9d3679898a62669da87a2251d
(cherry picked from commit 781ff001b9e734dd4297765b6b0d15f391cb06d9)

arm-wt-22k/lib_src/eas_xmf.c

diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 169eb7e..07ee8f7 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -67,7 +67,7 @@
 static EAS_RESULT XMF_SetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 value);
 static EAS_RESULT XMF_GetData (S_EAS_DATA *pEASData, EAS_VOID_PTR pInstData, EAS_I32 param, EAS_I32 *pValue);
 static EAS_RESULT XMF_FindFileContents (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData);
-static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength);
+static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth);
 static EAS_RESULT XMF_ReadVLQ (EAS_HW_DATA_HANDLE hwInstData, EAS_FILE_HANDLE fileHandle, EAS_I32 *value);
 
 
@@ -504,6 +504,7 @@
     EAS_RESULT result;
     EAS_I32 value;
     EAS_I32 length;
+    EAS_I32 node_depth = 0 ;
 
     /* initialize offsets */
     pXMFData->dlsOffset = pXMFData->midiOffset = 0;
@@ -521,7 +522,7 @@
     /* get TreeStart offset and jump to it */
     if ((result = XMF_ReadVLQ(hwInstData, pXMFData->fileHandle, &value)) != EAS_SUCCESS)
         return result;
-    if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length)) != EAS_SUCCESS)
+    if ((result = XMF_ReadNode(hwInstData, pXMFData, value, &length, node_depth)) != EAS_SUCCESS)
         return result;
 
     /* check for SMF data */
@@ -552,7 +553,7 @@
  *
  *----------------------------------------------------------------------------
 */
-static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength)
+static EAS_RESULT XMF_ReadNode (EAS_HW_DATA_HANDLE hwInstData, S_XMF_DATA *pXMFData, EAS_I32 nodeOffset, EAS_I32 *pLength, EAS_I32 depth)
 {
     EAS_RESULT result;
     EAS_I32 refType;
@@ -562,6 +563,10 @@
     EAS_I32 headerLength;
     EAS_U32 chunkType;
 
+    /* check the depth of current node*/
+    if ( depth > 100 )
+        return EAS_ERROR_FILE_FORMAT;
+
     /* seek to start of node */
     if ((result = EAS_HWFileSeek(hwInstData, pXMFData->fileHandle, nodeOffset)) != EAS_SUCCESS)
         return result;
@@ -656,7 +661,7 @@
                 return EAS_ERROR_FILE_FORMAT;
             }
 
-            if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS)
+            if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length, depth+1)) != EAS_SUCCESS)
                 return result;
 
             /* seek to start of next item */