Fix security vulnerability: Effect command might allow negative indexes
Bug: 32448258
Bug: 32095626
Test: Use POC bug or cts security test
Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df
(cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459)
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 5f18c97..ed38584 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -2419,9 +2419,13 @@
case EQ_PARAM_GET_PRESET_NAME:
param2 = *pParamTemp;
- if (param2 >= EqualizerGetNumPresets()) {
- //if (param2 >= 20) { // AGO FIX
+ if ((param2 < 0 && param2 != PRESET_CUSTOM) || param2 >= EqualizerGetNumPresets()) {
status = -EINVAL;
+ if (param2 < 0) {
+ android_errorWriteLog(0x534e4554, "32448258");
+ ALOGE("\tERROR Equalizer_getParameter() EQ_PARAM_GET_PRESET_NAME preset %d",
+ param2);
+ }
break;
}
name = (char *)pValue;
@@ -2491,8 +2495,12 @@
band = *pParamTemp;
level = (int32_t)(*(int16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
- if (band >= FIVEBAND_NUMBANDS) {
+ if (band < 0 || band >= FIVEBAND_NUMBANDS) {
status = -EINVAL;
+ if (band < 0) {
+ android_errorWriteLog(0x534e4554, "32095626");
+ ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_BAND_LEVEL band %d", band);
+ }
break;
}
EqualizerSetBandLevel(pContext, band, level);