commit e9da29c84af99795c274a88505ec0389beaf3aaa
author Karsten Tausche <karsten@fairphone.com> Thu Dec 09 11:55:14 2021 +0100
committer Karsten Tausche <karsten@fairphone.com> Thu Dec 09 11:55:14 2021 +0100
tree 100889f5abeb7d5f50f6e907c000079a20f29bf8
parent 6d187d7f342d422fe7285f558e605202e9f379ea
parent 98d542fbbc8b70b603d47ff5b9961fd757411b97

Merge tag 'android-security-11.0.0_r49' into int/11/fp3

Android security 11.0.0 release 49

* tag 'android-security-11.0.0_r49':
  sonivox: Fix global buffer overflow in WT_InterpolateNoLoop

Change-Id: I36605ee8227b17c152aeda64759481c5edeceb1c

arm-wt-22k/lib_src/eas_mdls.c

diff --git a/arm-wt-22k/lib_src/eas_mdls.c b/arm-wt-22k/lib_src/eas_mdls.c
index 876ce9b..fac6987 100644
--- a/arm-wt-22k/lib_src/eas_mdls.c
+++ b/arm-wt-22k/lib_src/eas_mdls.c
@@ -1372,6 +1372,10 @@
         {
             return EAS_SUCCESS;
         }
+        if (sampleLen < sizeof(EAS_SAMPLE)
+            || (pWsmp->loopStart + pWsmp->loopLength) * sizeof(EAS_SAMPLE) > sampleLen - sizeof(EAS_SAMPLE)) {
+            return EAS_FAILURE;
+        }
 
         pSample[(pWsmp->loopStart + pWsmp->loopLength)>>1] = pSample[(pWsmp->loopStart)>>1];
     }

arm-wt-22k/lib_src/eas_public.c

diff --git a/arm-wt-22k/lib_src/eas_public.c b/arm-wt-22k/lib_src/eas_public.c
index b3161f0..776c1ca 100644
--- a/arm-wt-22k/lib_src/eas_public.c
+++ b/arm-wt-22k/lib_src/eas_public.c
@@ -996,7 +996,6 @@
     EAS_BOOL done;
     EAS_INT yieldCount = YIELD_EVENT_COUNT;
     EAS_U32 time = 0;
-
     // This constant is the maximum number of events that can be processed in a single time slice.
     // A typical ringtone will contain a few events per time slice.
     // Extremely dense ringtones might go up to 50 events.