Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and Reverb

Bug: 63662938 Bug: 63526567 Test: Added CTS tests Change-Id: I8ed398cd62a9f461b0590e37f593daa3d8e4dbc4 (cherry picked from commit 804632afcdda6e80945bf27c384757bda50560cb) CVE-2017-0815 CVE-2017-0816
author: Mikhail Naganov <mnaganov@google.com> 2017-07-24 17:25:47 -0700
committer: MSe <mse1969@posteo.de> 2017-10-04 23:29:39 +0200
commit: 135afc5f73eea239b6b8f0d2767cf64882b84913 (patch)
tree: c6aef4286679194de64d67279347cc02e9fad3ca
parent: 3e96328616d731a91ec162109e9cc514aa46b23f (diff)
download: frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.tar.gz
frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.tar.bz2
frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.zip
2 files changed, 40 insertions, 3 deletions
diff --git a/media/libeffects/downmix/EffectDownmix.c b/media/libeffects/downmix/EffectDownmix.c
index 18059b2e90..a6b7436557 100644
--- a/media/libeffects/downmix/EffectDownmix.c
+++ b/media/libeffects/downmix/EffectDownmix.c
@@ -414,6 +414,10 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
             return -EINVAL;
         }
         effect_param_t *cmd = (effect_param_t *) pCmdData;
+        if (cmd->psize != sizeof(int32_t)) {
+            android_errorWriteLog(0x534e4554, "63662938");
+            return -EINVAL;
+        }
         *(int *)pReplyData = Downmix_setParameter(pDownmixer, *(int32_t *)cmd->data,
                 cmd->vsize, cmd->data + sizeof(int32_t));
         break;
diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
index 4dc8b45926..19892ddac3 100644
--- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
+++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
@@ -180,12 +180,13 @@ int  Reverb_init            (ReverbContext *pContext);
 void Reverb_free            (ReverbContext *pContext);
 int  Reverb_setConfig       (ReverbContext *pContext, effect_config_t *pConfig);
 void Reverb_getConfig       (ReverbContext *pContext, effect_config_t *pConfig);
-int  Reverb_setParameter    (ReverbContext *pContext, void *pParam, void *pValue);
+int  Reverb_setParameter    (ReverbContext *pContext, void *pParam, void *pValue, int vsize);
 int  Reverb_getParameter    (ReverbContext *pContext,
                              void          *pParam,
                              uint32_t      *pValueSize,
                              void          *pValue);
 int Reverb_LoadPreset       (ReverbContext   *pContext);
+int Reverb_paramValueSize   (int32_t param);
 
 /* Effect Library Interface Implementation */
 
@@ -1747,12 +1748,13 @@ int Reverb_getParameter(ReverbContext *pContext,
 //  pContext         - handle to instance data
 //  pParam           - pointer to parameter
 //  pValue           - pointer to value
+//  vsize            - value size
 //
 // Outputs:
 //
 //----------------------------------------------------------------------------
 
-int Reverb_setParameter (ReverbContext *pContext, void *pParam, void *pValue){
+int Reverb_setParameter (ReverbContext *pContext, void *pParam, void *pValue, int vsize){
     int status = 0;
     int16_t level;
     int16_t ratio;
@@ -1776,6 +1778,11 @@ int Reverb_setParameter (ReverbContext *pContext, void *pParam, void *pValue){
         return 0;
     }
 
+    if (vsize < Reverb_paramValueSize(param)) {
+        android_errorWriteLog(0x534e4554, "63526567");
+        return -EINVAL;
+    }
+
     switch (param){
         case REVERB_PARAM_PROPERTIES:
             ALOGV("\tReverb_setParameter() REVERB_PARAM_PROPERTIES");
@@ -1851,6 +1858,31 @@ int Reverb_setParameter (ReverbContext *pContext, void *pParam, void *pValue){
     return status;
 } /* end Reverb_setParameter */
 
+
+/**
+ * returns the size in bytes of the value of each environmental reverb parameter
+ */
+int Reverb_paramValueSize(int32_t param) {
+    switch (param) {
+    case REVERB_PARAM_ROOM_LEVEL:
+    case REVERB_PARAM_ROOM_HF_LEVEL:
+    case REVERB_PARAM_REFLECTIONS_LEVEL:
+    case REVERB_PARAM_REVERB_LEVEL:
+        return sizeof(int16_t); // millibel
+    case REVERB_PARAM_DECAY_TIME:
+    case REVERB_PARAM_REFLECTIONS_DELAY:
+    case REVERB_PARAM_REVERB_DELAY:
+        return sizeof(uint32_t); // milliseconds
+    case REVERB_PARAM_DECAY_HF_RATIO:
+    case REVERB_PARAM_DIFFUSION:
+    case REVERB_PARAM_DENSITY:
+        return sizeof(int16_t); // permille
+    case REVERB_PARAM_PROPERTIES:
+        return sizeof(s_reverb_settings); // struct of all reverb properties
+    }
+    return sizeof(int32_t);
+}
+
 } // namespace
 } // namespace
 
@@ -2022,7 +2054,8 @@ int Reverb_command(effect_handle_t  self,
 
             *(int *)pReplyData = android::Reverb_setParameter(pContext,
                                                              (void *)p->data,
-                                                              p->data + p->psize);
+                                                              p->data + p->psize,
+                                                              p->vsize);
         } break;
 
         case EFFECT_CMD_ENABLE:
author	Mikhail Naganov <mnaganov@google.com>	2017-07-24 17:25:47 -0700
committer	MSe <mse1969@posteo.de>	2017-10-04 23:29:39 +0200
commit	135afc5f73eea239b6b8f0d2767cf64882b84913 (patch)
tree	c6aef4286679194de64d67279347cc02e9fad3ca
parent	3e96328616d731a91ec162109e9cc514aa46b23f (diff)
download	frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.tar.gz frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.tar.bz2 frameworks_av-135afc5f73eea239b6b8f0d2767cf64882b84913.zip