diff options
| author | rago <rago@google.com> | 2017-06-06 15:02:43 -0700 |
|---|---|---|
| committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-08-14 03:33:35 +0300 |
| commit | e62c87b18ce4885b290299a24f42dd2311f86e9b (patch) | |
| tree | 96ed962193be63d9fc63e8efce04dac9d9ca3a92 | |
| parent | c15fd133cc2f827321ef538383da6dec38581fd1 (diff) | |
| download | android_hardware_qcom_audio-e62c87b18ce4885b290299a24f42dd2311f86e9b.tar.gz android_hardware_qcom_audio-e62c87b18ce4885b290299a24f42dd2311f86e9b.tar.bz2 android_hardware_qcom_audio-e62c87b18ce4885b290299a24f42dd2311f86e9b.zip | |
Fix security vulnerability: Equalizer setParameter memory overflowreplicant-6.0-0002
Bug: 37563371
Test: use POC on bug or cts security test
Change-Id: Ia04f172fb21b11463ffa9ea023d69a3db01e0731
(cherry picked from commit 617cd5c7f46c2312c7253001c46e7eea4c0315e0)
| -rw-r--r-- | post_proc/equalizer.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c index 9af4ff0d..17993ee4 100644 --- a/post_proc/equalizer.c +++ b/post_proc/equalizer.c @@ -356,6 +356,7 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, equalizer_context_t *eq_ctxt = (equalizer_context_t *)context; int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); void *value = p->data + voffset; + int32_t vsize = (int32_t) p->vsize; int32_t *param_tmp = (int32_t *)p->data; int32_t param = *param_tmp++; int32_t preset; @@ -369,6 +370,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, switch (param) { case EQ_PARAM_CUR_PRESET: + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } preset = (int32_t)(*(uint16_t *)value); if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) { @@ -378,6 +383,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, equalizer_set_preset(eq_ctxt, preset); break; case EQ_PARAM_BAND_LEVEL: + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } band = *param_tmp; level = (int32_t)(*(int16_t *)value); if (band < 0 || band >= NUM_EQ_BANDS) { @@ -391,6 +400,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, equalizer_set_band_level(eq_ctxt, band, level); break; case EQ_PARAM_PROPERTIES: { + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } int16_t *prop = (int16_t *)value; if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) { p->status = -EINVAL; @@ -399,6 +412,13 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, if (prop[0] >= 0) { equalizer_set_preset(eq_ctxt, (int)prop[0]); } else { + if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) { + android_errorWriteLog(0x534e4554, "37563371"); + ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d", + vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t)); + p->status = -EINVAL; + break; + } if ((int)prop[1] != NUM_EQ_BANDS) { p->status = -EINVAL; break; |