diff options
| author | Andy Hung <hunga@google.com> | 2016-04-28 13:43:44 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-05-27 11:31:30 -0700 |
| commit | 073a80800f341325932c66818ce4302b312909a4 (patch) | |
| tree | d016e6ae68111687fbcb1555db11360e51cda955 /voice_processing | |
| parent | a18111d2db2a5e43a5ba318073986c12f9c86720 (diff) | |
| download | hardware_qcom_audio-073a80800f341325932c66818ce4302b312909a4.tar.gz hardware_qcom_audio-073a80800f341325932c66818ce4302b312909a4.tar.bz2 hardware_qcom_audio-073a80800f341325932c66818ce4302b312909a4.zip | |
DO NOT MERGE Fix AudioEffect reply overflow
Bug: 28173666
Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02
Diffstat (limited to 'voice_processing')
| -rw-r--r-- | voice_processing/voice_processing.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c index b3f97c6a..7d2b5929 100644 --- a/voice_processing/voice_processing.c +++ b/voice_processing/voice_processing.c @@ -560,7 +560,9 @@ static int fx_command(effect_handle_t self, if (pCmdData == NULL || cmdSize < (int)sizeof(effect_param_t) || pReplyData == NULL || - *replySize < (int)sizeof(effect_param_t)) { + *replySize < (int)sizeof(effect_param_t) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args"); return -EINVAL; } |