commit 611640c34809c2224a35a57cd5f35f59af9442cf
author Linux Build Service Account <lnxbuild@localhost> Wed Jan 18 07:30:04 2017 -0700
committer Linux Build Service Account <lnxbuild@localhost> Wed Jan 18 07:30:04 2017 -0700
tree cd078b4beec1800921c2c79511ff9162c603801a
parent 28fb1760deec6dbf7d3273c6030b853dadce280b
parent c634a5131c0ee9f933a7707e451e0abf3859e860

Promotion of audio-userspace.lnx.2.2-00010.

CRs      Change ID                                   Subject
--------------------------------------------------------------------------------------------------------------
1101044   I56a92582687599b5b313dea1abcb8bcb19c7fc0e   Fix security vulnerability: Equalizer command might allo
1101045   I5ef8c756369d488ad5903c163584f24de63d73e3   Fix security vulnerability: Effect command might allow n

Change-Id: I18ddd6703cc3b1ffeead05451ee150438d102c99
CRs-Fixed: 1101044, 1101045

post_proc/equalizer.c

diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index c2ae326..a9da8b4 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -274,8 +274,12 @@
 
     case EQ_PARAM_BAND_LEVEL:
         param2 = *param_tmp;
-        if (param2 >= NUM_EQ_BANDS) {
+        if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
             p->status = -EINVAL;
+            if (param2 < 0) {
+                android_errorWriteLog(0x534e4554, "32438598");
+                ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", param2);
+            }
             break;
         }
         *(int16_t *)value = (int16_t)equalizer_get_band_level(eq_ctxt, param2);
@@ -283,8 +287,12 @@
 
     case EQ_PARAM_CENTER_FREQ:
         param2 = *param_tmp;
-        if (param2 >= NUM_EQ_BANDS) {
-           p->status = -EINVAL;
+        if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
+            p->status = -EINVAL;
+            if (param2 < 0) {
+                android_errorWriteLog(0x534e4554, "32436341");
+                ALOGW("\tERROR EQ_PARAM_CENTER_FREQ band %d", param2);
+            }
             break;
         }
         *(int32_t *)value = equalizer_get_center_frequency(eq_ctxt, param2);
@@ -292,8 +300,12 @@
 
     case EQ_PARAM_BAND_FREQ_RANGE:
         param2 = *param_tmp;
-        if (param2 >= NUM_EQ_BANDS) {
+        if (param2 < 0 || param2 >= NUM_EQ_BANDS) {
             p->status = -EINVAL;
+            if (param2 < 0) {
+                android_errorWriteLog(0x534e4554, "32247948");
+                ALOGW("\tERROR EQ_PARAM_BAND_FREQ_RANGE band %d", param2);
+            }
            break;
         }
        equalizer_get_band_freq_range(eq_ctxt, param2, (uint32_t *)value,
@@ -316,9 +328,14 @@
     case EQ_PARAM_GET_PRESET_NAME:
         param2 = *param_tmp;
         ALOGV("%s: EQ_PARAM_GET_PRESET_NAME: param2: %d", __func__, param2);
-        if (param2 >= equalizer_get_num_presets(eq_ctxt)) {
-            p->status = -EINVAL;
-            break;
+        if ((param2 < 0 && param2 != PRESET_CUSTOM) ||
+            param2 >= equalizer_get_num_presets(eq_ctxt)) {
+                p->status = -EINVAL;
+                if (param2 < 0) {
+                    android_errorWriteLog(0x534e4554, "32588016");
+                    ALOGW("\tERROR EQ_PARAM_GET_PRESET_NAME preset %d", param2);
+                }
+                break;
         }
         name = (char *)value;
         strlcpy(name, equalizer_get_preset_name(eq_ctxt, param2), p->vsize - 1);
@@ -373,8 +390,12 @@
     case EQ_PARAM_BAND_LEVEL:
         band =  *param_tmp;
         level = (int32_t)(*(int16_t *)value);
-        if (band >= NUM_EQ_BANDS) {
-           p->status = -EINVAL;
+        if (band < 0 || band >= NUM_EQ_BANDS) {
+            p->status = -EINVAL;
+            if (band < 0) {
+                android_errorWriteLog(0x534e4554, "32585400");
+                ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", band);
+            }
             break;
         }
         equalizer_set_band_level(eq_ctxt, band, level);