Merge cherrypicks of [2331043, 2330986, 2331024, 2331025, 2330859, 2330970, 2331044, 2330893, 2330950, 2330951, 2330940, 2331045, 2330954, 2330799, 2330987, 2331004, 2331061, 2331005, 2331047, 2330955, 2331030, 2331031, 2331101, 2330972, 2330956, 2331032, 2331006, 2330894, 2331063, 2331064, 2330895, 2331048, 2331102, 2331035, 2331007, 2331083, 2331103, 2331104, 2330897, 2331084, 2331067, 2331009, 2331010, 2330898, 2330989, 2331105, 2330899, 2331011, 2331069, 2330990, 2331121, 2331122, 2331086] into nyc-mr2-security-a-release
Change-Id: I2919109e8ed833ccf841c352ea33dccbcee9e453
diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 296d783..8097ba4 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -785,6 +785,11 @@
if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, pSize, EAS_FALSE)) != EAS_SUCCESS)
return result;
+ if (*pSize < 0) {
+ ALOGE("b/37093318");
+ return EAS_ERROR_FILE_FORMAT;
+ }
+
/* get form type for RIFF and LIST types */
if ((*pChunkType == CHUNK_RIFF) || (*pChunkType == CHUNK_LIST))
{
diff --git a/arm-wt-22k/lib_src/eas_xmf.c b/arm-wt-22k/lib_src/eas_xmf.c
index 830b6e5..169eb7e 100644
--- a/arm-wt-22k/lib_src/eas_xmf.c
+++ b/arm-wt-22k/lib_src/eas_xmf.c
@@ -27,6 +27,8 @@
*----------------------------------------------------------------------------
*/
+#include <log/log.h>
+
#include "eas_data.h"
#include "eas_miditypes.h"
#include "eas_parser.h"
@@ -649,6 +651,11 @@
for ( ; numItems > 0; numItems--)
{
/* process this item */
+ if (offset <= nodeOffset) {
+ ALOGE("b/36725407: parser did not advance");
+ return EAS_ERROR_FILE_FORMAT;
+ }
+
if ((result = XMF_ReadNode(hwInstData, pXMFData, offset, &length)) != EAS_SUCCESS)
return result;
