Check data consistency in mdls parsing

Added checks to ensure consistency of waveCount, instCount, regionCount and artCount in two passes of parsing Bug: 150159669 Bug: 150160279 Bug: 150159906 Bug: 150160041 Test: poc in bug Merged-In: I6f3098b029b6da56415a588882a5bb908edd3db7 Change-Id: I6f3098b029b6da56415a588882a5bb908edd3db7 (cherry picked from commit c049c140e3aff87f1c6e557437cc050dd864cc5f) (cherry picked from commit e689e94f3b7473497052e81d906a10a82407e559)
AOSiP · Sep 12, 2020 · 5f5954e · 5f5954e
1 parent f76dc3d
commit 5f5954e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/arm-wt-22k/host_src/eas_types.h b/arm-wt-22k/host_src/eas_types.h
@@ -76,6 +76,7 @@ typedef long EAS_RESULT;
 #define EAS_ERROR_QUEUE_IS_FULL             -36
 #define EAS_ERROR_QUEUE_IS_EMPTY            -37
 #define EAS_ERROR_FEATURE_ALREADY_ACTIVE    -38
+#define EAS_ERROR_DATA_INCONSISTENCY        -39
 
 /* special return codes */
 #define EAS_EOF                             3

diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
@@ -851,6 +851,15 @@ static EAS_RESULT Parse_ptbl (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
     if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &pDLSData->waveCount, EAS_FALSE)) != EAS_SUCCESS)
         return result;
 
+    /* if second pass, ensure waveCount matches with the value parsed in first pass */
+    if (pDLSData->pDLS)
+    {
+        if (pDLSData->waveCount != pDLSData->pDLS->numDLSSamples)
+        {
+            return EAS_ERROR_DATA_INCONSISTENCY;
+        }
+    }
+
 #if 0
     /* just need the wave count on the first pass */
     if (!pDLSData->pDLS)
@@ -1411,6 +1420,15 @@ static EAS_RESULT Parse_lins (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
         if (temp != CHUNK_INS)
             continue;
 
+        /* if second pass, ensure instCount is less than numDLSPrograms */
+        if (pDLSData->pDLS)
+        {
+            if (pDLSData->instCount >= pDLSData->pDLS->numDLSPrograms)
+            {
+                return EAS_ERROR_DATA_INCONSISTENCY;
+            }
+        }
+
         if ((result = Parse_ins(pDLSData, chunkPos + 12, size)) != EAS_SUCCESS)
             return result;
     }
@@ -1646,6 +1664,14 @@ static EAS_RESULT Parse_lrgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_
                 { /* dpp: EAS_ReportEx(_EAS_SEVERITY_WARNING, "DLS region count exceeded cRegions value in insh, extra region ignored\n"); */ }
                 return EAS_SUCCESS;
             }
+            /* if second pass, ensure regionCount is less than numDLSRegions */
+            if (pDLSData->pDLS)
+            {
+                if (pDLSData->regionCount >= pDLSData->pDLS->numDLSRegions)
+                {
+                    return EAS_ERROR_DATA_INCONSISTENCY;
+                }
+            }
             if ((result = Parse_rgn(pDLSData, chunkPos + 12, size, artIndex)) != EAS_SUCCESS)
                 return result;
             regionCount++;
@@ -1793,6 +1819,12 @@ static EAS_RESULT Parse_rgn (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 pos, EAS_I
         /* if local data was found convert it */
         if (art.values[PARAM_MODIFIED] == EAS_TRUE)
         {
+            /* ensure artCount is less than numDLSArticulations */
+            if (pDLSData->artCount >= pDLSData->pDLS->numDLSArticulations)
+            {
+                return EAS_ERROR_DATA_INCONSISTENCY;
+            }
+
             Convert_art(pDLSData, &art, (EAS_U16) pDLSData->artCount);
             artIndex = (EAS_U16) pDLSData->artCount;
         }