From b673740408112a785e17395d7943acec159f6715 Mon Sep 17 00:00:00 2001 From: Andy Hung Date: Thu, 28 Apr 2016 13:43:44 -0700 Subject: DO NOT MERGE Fix AudioEffect reply overflow Bug: 28173666 Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02 (cherry picked from commit 57fd9637536d40ec8c40a6bed76a71471dab0f64) --- post_proc/bundle.c | 5 +++-- voice_processing/voice_processing.c | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/post_proc/bundle.c b/post_proc/bundle.c index d39a8b72..15021cf0 100644 --- a/post_proc/bundle.c +++ b/post_proc/bundle.c @@ -855,8 +855,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || pReplyData == NULL || - *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + - sizeof(uint16_t))) { + *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { status = -EINVAL; ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d", cmdSize, *replySize); diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c index 1e1e123b..610bee61 100644 --- a/voice_processing/voice_processing.c +++ b/voice_processing/voice_processing.c @@ -565,7 +565,9 @@ static int fx_command(effect_handle_t self, if (pCmdData == NULL || cmdSize < (int)sizeof(effect_param_t) || pReplyData == NULL || - *replySize < (int)sizeof(effect_param_t)) { + *replySize < (int)sizeof(effect_param_t) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args"); return -EINVAL; } -- cgit v1.2.3