Effects: Check get parameter command size
Test: Custom test.
Bug: 32438594
Bug: 32624850
Bug: 32635664
Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 720e43b..2193f47 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -539,6 +539,13 @@
android_errorWriteLog(0x534e4554, "29251553");
return -EINVAL;
}
+ if (cmdCode == EFFECT_CMD_GET_PARAM &&
+ (sizeof(effect_param_t) > cmdSize ||
+ ((effect_param_t *)pCmdData)->psize > cmdSize
+ - sizeof(effect_param_t))) {
+ android_errorWriteLog(0x534e4554, "32438594");
+ return -EINVAL;
+ }
if ((cmdCode == EFFECT_CMD_SET_PARAM
|| cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used
(sizeof(effect_param_t) > cmdSize