From a66b28ebd1117778f025deaab2cf042d3e5ac74c Mon Sep 17 00:00:00 2001 From: rago Date: Tue, 15 Nov 2016 13:00:50 -0800 Subject: Fix security vulnerability: Effect command might allow negative indexes Bug: 32588016 Bug: 32585400 Test: Use POC bug or cts security test Change-Id: I5ef8c756369d488ad5903c163584f24de63d73e3 (cherry picked from commit 500a9feaf816c719241de83f2ee65c8e2d7ff269) (cherry picked from commit ed79f2cc961d7d35fdbbafdd235c1436bcd74358) # Conflicts: # post_proc/equalizer.c Fix security vulnerability: Equalizer command might allow negative indexes Bug: 32247948 Bug: 32438598 Bug: 32436341 Test: use POC on bug or cts security test Change-Id: I56a92582687599b5b313dea1abcb8bcb19c7fc0e (cherry picked from commit 3f37d4ef89f4f0eef9e201c5a91b7b2c77ed1071) (cherry picked from commit ceb7b2d7a4c4cb8d03f166c61f5c7551c6c760aa) (cherry picked from commit d72ea85c78a1a68bf99fd5804ad9784b4102fe57) --- post_proc/equalizer.c | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c index a26e4131..9af4ff0d 100644 --- a/post_proc/equalizer.c +++ b/post_proc/equalizer.c @@ -264,8 +264,12 @@ int equalizer_get_parameter(effect_context_t *context, effect_param_t *p, case EQ_PARAM_BAND_LEVEL: param2 = *param_tmp; - if (param2 >= NUM_EQ_BANDS) { + if (param2 < 0 || param2 >= NUM_EQ_BANDS) { p->status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32438598"); + ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", param2); + } break; } *(int16_t *)value = (int16_t)equalizer_get_band_level(eq_ctxt, param2); @@ -273,8 +277,12 @@ int equalizer_get_parameter(effect_context_t *context, effect_param_t *p, case EQ_PARAM_CENTER_FREQ: param2 = *param_tmp; - if (param2 >= NUM_EQ_BANDS) { - p->status = -EINVAL; + if (param2 < 0 || param2 >= NUM_EQ_BANDS) { + p->status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32436341"); + ALOGW("\tERROR EQ_PARAM_CENTER_FREQ band %d", param2); + } break; } *(int32_t *)value = equalizer_get_center_frequency(eq_ctxt, param2); @@ -282,8 +290,12 @@ int equalizer_get_parameter(effect_context_t *context, effect_param_t *p, case EQ_PARAM_BAND_FREQ_RANGE: param2 = *param_tmp; - if (param2 >= NUM_EQ_BANDS) { + if (param2 < 0 || param2 >= NUM_EQ_BANDS) { p->status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32247948"); + ALOGW("\tERROR EQ_PARAM_BAND_FREQ_RANGE band %d", param2); + } break; } equalizer_get_band_freq_range(eq_ctxt, param2, (uint32_t *)value, @@ -306,9 +318,14 @@ int equalizer_get_parameter(effect_context_t *context, effect_param_t *p, case EQ_PARAM_GET_PRESET_NAME: param2 = *param_tmp; ALOGV("%s: EQ_PARAM_GET_PRESET_NAME: param2: %d", __func__, param2); - if (param2 >= equalizer_get_num_presets(eq_ctxt)) { - p->status = -EINVAL; - break; + if ((param2 < 0 && param2 != PRESET_CUSTOM) || + param2 >= equalizer_get_num_presets(eq_ctxt)) { + p->status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32588016"); + ALOGW("\tERROR EQ_PARAM_GET_PRESET_NAME preset %d", param2); + } + break; } name = (char *)value; strlcpy(name, equalizer_get_preset_name(eq_ctxt, param2), p->vsize - 1); @@ -363,8 +380,12 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, case EQ_PARAM_BAND_LEVEL: band = *param_tmp; level = (int32_t)(*(int16_t *)value); - if (band >= NUM_EQ_BANDS) { - p->status = -EINVAL; + if (band < 0 || band >= NUM_EQ_BANDS) { + p->status = -EINVAL; + if (band < 0) { + android_errorWriteLog(0x534e4554, "32585400"); + ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", band); + } break; } equalizer_set_band_level(eq_ctxt, band, level); -- cgit v1.2.3