diff options
author | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 13:31:11 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 14:15:46 -0700 |
commit | c6f3e593ff40ebcde58e23658755afa548d917b5 (patch) | |
tree | 7ee3946807e5743cd15162251259794762353604 | |
parent | f4ee683ba2c502664fb052605fdd25b377a69798 (diff) | |
parent | 073a80800f341325932c66818ce4302b312909a4 (diff) | |
download | hardware_qcom_audio-c6f3e593ff40ebcde58e23658755afa548d917b5.tar.gz hardware_qcom_audio-c6f3e593ff40ebcde58e23658755afa548d917b5.tar.bz2 hardware_qcom_audio-c6f3e593ff40ebcde58e23658755afa548d917b5.zip |
Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD
Ticket: CYNGNOS-3020
Change-Id: Iafd7ca0e83097fd9bec0fe3e8ff4c05205d6410c
-rw-r--r-- | post_proc/bundle.c | 5 | ||||
-rw-r--r-- | voice_processing/voice_processing.c | 4 |
2 files changed, 6 insertions, 3 deletions
diff --git a/post_proc/bundle.c b/post_proc/bundle.c index 6fdbef69..b9abf5cd 100644 --- a/post_proc/bundle.c +++ b/post_proc/bundle.c @@ -641,8 +641,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || pReplyData == NULL || - *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + - sizeof(uint16_t))) { + *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { status = -EINVAL; ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d", cmdSize, *replySize); diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c index 90034115..f01a107e 100644 --- a/voice_processing/voice_processing.c +++ b/voice_processing/voice_processing.c @@ -564,7 +564,9 @@ static int fx_command(effect_handle_t self, if (pCmdData == NULL || cmdSize < (int)sizeof(effect_param_t) || pReplyData == NULL || - *replySize < (int)sizeof(effect_param_t)) { + *replySize < (int)sizeof(effect_param_t) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args"); return -EINVAL; } |