diff options
Diffstat (limited to 'post_proc/bundle.c')
| -rw-r--r-- | post_proc/bundle.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/post_proc/bundle.c b/post_proc/bundle.c index 6fdbef69..b9abf5cd 100644 --- a/post_proc/bundle.c +++ b/post_proc/bundle.c @@ -641,8 +641,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || pReplyData == NULL || - *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + - sizeof(uint16_t))) { + *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { status = -EINVAL; ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d", cmdSize, *replySize); |