Check effect command reply size in AudioFlinger Bug: 29251553 Change-Id: I1bcc1281f1f0542bb645f6358ce31631f2a8ffbf (cherry picked from commit 110bc9547a0c851ff1f20f5d7579b34f942947b8)

commit: 9ed8c0d0c525a9af7e8c3f02c338ef0ce4a3254e [log] [tgz]
author: Andy Hung <hunga@google.com> Mon Jun 20 15:22:52 2016 -0700
committer: Feng Yu <feny@google.com> Mon Jun 27 20:42:43 2016 +0000
tree: 99e06f133e73df3a5fcb752bd6cea99dd1e09e0e
parent: bb3a0338b58fafb01ac5b34efc450b80747e71e4 [diff]
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 949c91d..eb52dee 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp

@@ -558,6 +558,12 @@
     if (mStatus != NO_ERROR) {
         return mStatus;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (*replySize < sizeof(effect_param_t) ||
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "29251553");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
commit	9ed8c0d0c525a9af7e8c3f02c338ef0ce4a3254e	[log] [tgz]
author	Andy Hung <hunga@google.com>	Mon Jun 20 15:22:52 2016 -0700
committer	Feng Yu <feny@google.com>	Mon Jun 27 20:42:43 2016 +0000
tree	99e06f133e73df3a5fcb752bd6cea99dd1e09e0e
parent	bb3a0338b58fafb01ac5b34efc450b80747e71e4 [diff]