Fix AudioEffect reply overflow Bug: 28173666 Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02

commit: 1015d94fb02b3213c22c9ac4a16b20c4ed9498b6 [log] [tgz]
author: Andy Hung <hunga@google.com> Thu Apr 28 13:43:44 2016 -0700
committer: Andy Hung <hunga@google.com> Thu Apr 28 18:40:51 2016 -0700
tree: 3bf6b3a3ec9d13e7fdad35ccbf825cba1f3a0db6
parent: 68f55fd60d04311040a69ff1cd403117eabfb2a8 [diff]
diff --git a/msm8909/post_proc/bundle.c b/msm8909/post_proc/bundle.c
index e54d4f0..407fce4 100644
--- a/msm8909/post_proc/bundle.c
+++ b/msm8909/post_proc/bundle.c

@@ -643,8 +643,9 @@
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);

diff --git a/msm8909/voice_processing/voice_processing.c b/msm8909/voice_processing/voice_processing.c
index 33256db..9093df4 100644
--- a/msm8909/voice_processing/voice_processing.c
+++ b/msm8909/voice_processing/voice_processing.c

@@ -563,7 +563,9 @@
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }

diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index a6b0727..df327ab 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c

@@ -621,8 +621,9 @@
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);

diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index b3f97c6..7d2b592 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c

@@ -560,7 +560,9 @@
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }
commit	1015d94fb02b3213c22c9ac4a16b20c4ed9498b6	[log] [tgz]
author	Andy Hung <hunga@google.com>	Thu Apr 28 13:43:44 2016 -0700
committer	Andy Hung <hunga@google.com>	Thu Apr 28 18:40:51 2016 -0700
tree	3bf6b3a3ec9d13e7fdad35ccbf825cba1f3a0db6
parent	68f55fd60d04311040a69ff1cd403117eabfb2a8 [diff]