DO NOT MERGE Fix AudioEffect reply overflowstable/cm-13.0-caf-8996-ZNH2KB

Bug: 28173666
Ticket: CYNGNOS-3020
Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02
(cherry picked from commit 57fd9637536d40ec8c40a6bed76a71471dab0f64)
(cherry picked from commit afd861d7a3a4e628c6c657902a0da6cc167ce52c)

2 files changed, 6 insertions, 3 deletions

diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index 2bc7fad1..03475773 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c
@@ -855,8 +855,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index 1e1e123b..610bee61 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c
@@ -565,7 +565,9 @@ static int fx_command(effect_handle_t  self,
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }