Google Git
Sign in
android / platform / hardware / qcom / audio / 6851b608db7540e9da54c98bd80becd87c61b3b6^1..6851b608db7540e9da54c98bd80becd87c61b3b6 / .
commit6851b608db7540e9da54c98bd80becd87c61b3b6[log] [tgz]
authorrago <rago@google.com>Wed Jun 07 01:51:31 2017 +0000
committerandroid-build-merger <android-build-merger@google.com>Wed Jun 07 01:51:31 2017 +0000
treea1a723ea0a09facfb54b882954de0f627a929afc
parent9a14b133600d6d5144bc44e6a489d741f6007d79 [diff]
parent3f7ffd5d569081b53081036b3cdd265109b10029 [diff]
Merge "Fix security vulnerability: Equalizer setParameter memory overflow" into lmp-dev am: 1f0f83e1ff am: b3ad2a046e am: dfd990face am: 9f623d6475 am: d4517e643b am: f4c3975abf am: 878d778986 am: a31de317d4 am: 025df90241 am: 853a6bc15f am: d9a108d531
am: 3f7ffd5d56

Change-Id: I6a98056f0c2d56c34bc7780e05f055ae6e9e731e

diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index d776fc4..4e4552f 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c

@@ -371,6 +371,7 @@
     equalizer_context_t *eq_ctxt = (equalizer_context_t *)context;
     int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
     void *value = p->data + voffset;
+    int32_t vsize = (int32_t) p->vsize;
     int32_t *param_tmp = (int32_t *)p->data;
     int32_t param = *param_tmp++;
     int32_t preset;
@@ -385,6 +386,10 @@
     switch (param) {
     case EQ_PARAM_CUR_PRESET:
 	ALOGV("EQ_PARAM_CUR_PRESET");
+        if (vsize < sizeof(int16_t)) {
+           p->status = -EINVAL;
+           break;
+        }
         preset = (int32_t)(*(uint16_t *)value);
 
         if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) {
@@ -395,6 +400,10 @@
         break;
     case EQ_PARAM_BAND_LEVEL:
 	ALOGV("EQ_PARAM_BAND_LEVEL");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         band =  *param_tmp;
         level = (int32_t)(*(int16_t *)value);
         if (band < 0 || band >= NUM_EQ_BANDS) {
@@ -409,6 +418,10 @@
         break;
     case EQ_PARAM_PROPERTIES: {
 	ALOGV("EQ_PARAM_PROPERTIES");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         int16_t *prop = (int16_t *)value;
         if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) {
             p->status = -EINVAL;
@@ -417,6 +430,13 @@
         if (prop[0] >= 0) {
             equalizer_set_preset(eq_ctxt, (int)prop[0]);
         } else {
+            if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) {
+                android_errorWriteLog(0x534e4554, "37563371");
+                ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d",
+                                  vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t));
+                p->status = -EINVAL;
+                break;
+            }
             if ((int)prop[1] != NUM_EQ_BANDS) {
                 p->status = -EINVAL;
                 break;