Gitiles
Code Review Sign In
review.blissroms.org / platform_hardware_qcom_audio / 0b38640dba2f16db5740b43917dbb7827784381a^! / .
commit0b38640dba2f16db5740b43917dbb7827784381a[log] [tgz]
authorrago <rago@google.com>Tue Nov 15 13:00:50 2016 -0800
committerGerrit - the friendly Code Review server <code-review@localhost>Thu Jan 05 18:05:41 2017 -0800
tree8938e8fc7c45885db2210484219693c7c61f6927
parent9117c39d2a96fca547d42a50e88b3431a79c2073 [diff]
Fix security vulnerability: Effect command might allow negative indexes

Bug: 32588016
Bug: 32585400

Test: Use POC bug or cts security test
Change-Id: I5ef8c756369d488ad5903c163584f24de63d73e3
(cherry picked from commit 500a9feaf816c719241de83f2ee65c8e2d7ff269)
(cherry picked from commit ed79f2cc961d7d35fdbbafdd235c1436bcd74358)

diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index c2ae326..3660e84 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c

@@ -316,9 +316,14 @@
     case EQ_PARAM_GET_PRESET_NAME:
         param2 = *param_tmp;
         ALOGV("%s: EQ_PARAM_GET_PRESET_NAME: param2: %d", __func__, param2);
-        if (param2 >= equalizer_get_num_presets(eq_ctxt)) {
-            p->status = -EINVAL;
-            break;
+        if ((param2 < 0 && param2 != PRESET_CUSTOM) ||
+            param2 >= equalizer_get_num_presets(eq_ctxt)) {
+                p->status = -EINVAL;
+                if (param2 < 0) {
+                    android_errorWriteLog(0x534e4554, "32588016");
+                    ALOGW("\tERROR EQ_PARAM_GET_PRESET_NAME preset %d", param2);
+                }
+                break;
         }
         name = (char *)value;
         strlcpy(name, equalizer_get_preset_name(eq_ctxt, param2), p->vsize - 1);
@@ -373,8 +378,12 @@
     case EQ_PARAM_BAND_LEVEL:
         band =  *param_tmp;
         level = (int32_t)(*(int16_t *)value);
-        if (band >= NUM_EQ_BANDS) {
-           p->status = -EINVAL;
+        if (band < 0 || band >= NUM_EQ_BANDS) {
+            p->status = -EINVAL;
+            if (band < 0) {
+                android_errorWriteLog(0x534e4554, "32585400");
+                ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", band);
+            }
             break;
         }
         equalizer_set_band_level(eq_ctxt, band, level);