diff options
| author | rago <rago@google.com> | 2017-06-07 01:49:09 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2017-06-07 01:49:09 +0000 |
| commit | d3448da042e991a6feac53764c72ce075fe7835f (patch) | |
| tree | 90fb5bc1df301252d1dcf52646e915d14ce0c1b7 /post_proc | |
| parent | 8b596d749703ecfd6401858d9c95e792915757a8 (diff) | |
| parent | 3f7ffd5d569081b53081036b3cdd265109b10029 (diff) | |
| download | platform_hardware_qcom_audio-d3448da042e991a6feac53764c72ce075fe7835f.tar.gz platform_hardware_qcom_audio-d3448da042e991a6feac53764c72ce075fe7835f.tar.bz2 platform_hardware_qcom_audio-d3448da042e991a6feac53764c72ce075fe7835f.zip | |
Merge "Fix security vulnerability: Equalizer setParameter memory overflow" into lmp-dev am: 1f0f83e1ff am: b3ad2a046e am: dfd990face am: 9f623d6475 am: d4517e643b am: f4c3975abf am: 878d778986 am: a31de317d4 am: 025df90241 am: 853a6bc15f am: d9a108d531
am: 3f7ffd5d56
Change-Id: Icd744fb5e1f076a663887bf07c2507e2a1d355e3
Diffstat (limited to 'post_proc')
| -rw-r--r-- | post_proc/equalizer.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c index de32bb4..f7d6152 100644 --- a/post_proc/equalizer.c +++ b/post_proc/equalizer.c @@ -371,6 +371,7 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, equalizer_context_t *eq_ctxt = (equalizer_context_t *)context; int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); void *value = p->data + voffset; + int32_t vsize = (int32_t) p->vsize; int32_t *param_tmp = (int32_t *)p->data; int32_t param = *param_tmp++; int32_t preset; @@ -385,6 +386,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, switch (param) { case EQ_PARAM_CUR_PRESET: ALOGV("EQ_PARAM_CUR_PRESET"); + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } preset = (int32_t)(*(uint16_t *)value); if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) { @@ -395,6 +400,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, break; case EQ_PARAM_BAND_LEVEL: ALOGV("EQ_PARAM_BAND_LEVEL"); + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } band = *param_tmp; level = (int32_t)(*(int16_t *)value); if (band < 0 || band >= NUM_EQ_BANDS) { @@ -409,6 +418,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, break; case EQ_PARAM_PROPERTIES: { ALOGV("EQ_PARAM_PROPERTIES"); + if (vsize < sizeof(int16_t)) { + p->status = -EINVAL; + break; + } int16_t *prop = (int16_t *)value; if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) { p->status = -EINVAL; @@ -417,6 +430,13 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, if (prop[0] >= 0) { equalizer_set_preset(eq_ctxt, (int)prop[0]); } else { + if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) { + android_errorWriteLog(0x534e4554, "37563371"); + ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d", + vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t)); + p->status = -EINVAL; + break; + } if ((int)prop[1] != NUM_EQ_BANDS) { p->status = -EINVAL; break; |