Fix security vulnerability: Equalizer command might allow negative indexes
Bug: 32247948
Bug: 32438598
Bug: 32436341
Test: use POC on bug or cts security test
Change-Id: I56a92582687599b5b313dea1abcb8bcb19c7fc0e
(cherry picked from commit 3f37d4ef89f4f0eef9e201c5a91b7b2c77ed1071)
(cherry picked from commit ceb7b2d7a4c4cb8d03f166c61f5c7551c6c760aa)
(cherry picked from commit d72ea85c78a1a68bf99fd5804ad9784b4102fe57)
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index 3660e84..a9da8b4 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -274,8 +274,12 @@
case EQ_PARAM_BAND_LEVEL:
param2 = *param_tmp;
- if (param2 >= NUM_EQ_BANDS) {
+ if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
p->status = -EINVAL;
+ if (param2 < 0) {
+ android_errorWriteLog(0x534e4554, "32438598");
+ ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", param2);
+ }
break;
}
*(int16_t *)value = (int16_t)equalizer_get_band_level(eq_ctxt, param2);
@@ -283,8 +287,12 @@
case EQ_PARAM_CENTER_FREQ:
param2 = *param_tmp;
- if (param2 >= NUM_EQ_BANDS) {
- p->status = -EINVAL;
+ if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
+ p->status = -EINVAL;
+ if (param2 < 0) {
+ android_errorWriteLog(0x534e4554, "32436341");
+ ALOGW("\tERROR EQ_PARAM_CENTER_FREQ band %d", param2);
+ }
break;
}
*(int32_t *)value = equalizer_get_center_frequency(eq_ctxt, param2);
@@ -292,8 +300,12 @@
case EQ_PARAM_BAND_FREQ_RANGE:
param2 = *param_tmp;
- if (param2 >= NUM_EQ_BANDS) {
+ if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
p->status = -EINVAL;
+ if (param2 < 0) {
+ android_errorWriteLog(0x534e4554, "32247948");
+ ALOGW("\tERROR EQ_PARAM_BAND_FREQ_RANGE band %d", param2);
+ }
break;
}
equalizer_get_band_freq_range(eq_ctxt, param2, (uint32_t *)value,