DO NOT MERGE Fix AudioEffect reply overflowstable/cm-13.0-ZNH2KB

Bug: 28173666
Ticket: CYNGNOS-3020
Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02
(cherry picked from commit 57fd9637536d40ec8c40a6bed76a71471dab0f64)
(cherry picked from commit b11c3625f0e2be1659525a86e50554a453ae05ce)

2 files changed, 6 insertions, 3 deletions

diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index c728115c..93f6c332 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c
@@ -640,8 +640,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index 90034115..f01a107e 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c
@@ -564,7 +564,9 @@ static int fx_command(effect_handle_t  self,
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }