Fix security vulnerability: Equalizer setParameter memory overflow
Bug: 37563371
Test: use POC on bug or cts security test
Change-Id: Ia04f172fb21b11463ffa9ea023d69a3db01e0731
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index 1cd40d2..8c9449a 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -364,6 +364,7 @@
equalizer_context_t *eq_ctxt = (equalizer_context_t *)context;
int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
void *value = p->data + voffset;
+ int32_t vsize = (int32_t) p->vsize;
int32_t *param_tmp = (int32_t *)p->data;
int32_t param = *param_tmp++;
int32_t preset;
@@ -378,6 +379,10 @@
switch (param) {
case EQ_PARAM_CUR_PRESET:
ALOGV("EQ_PARAM_CUR_PRESET");
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
preset = (int32_t)(*(uint16_t *)value);
if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) {
@@ -388,6 +393,10 @@
break;
case EQ_PARAM_BAND_LEVEL:
ALOGV("EQ_PARAM_BAND_LEVEL");
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
band = *param_tmp;
level = (int32_t)(*(int16_t *)value);
if (band < 0 || band >= NUM_EQ_BANDS) {
@@ -402,6 +411,10 @@
break;
case EQ_PARAM_PROPERTIES: {
ALOGV("EQ_PARAM_PROPERTIES");
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
int16_t *prop = (int16_t *)value;
if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) {
p->status = -EINVAL;
@@ -410,6 +423,13 @@
if (prop[0] >= 0) {
equalizer_set_preset(eq_ctxt, (int)prop[0]);
} else {
+ if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) {
+ android_errorWriteLog(0x534e4554, "37563371");
+ ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d",
+ vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t));
+ p->status = -EINVAL;
+ break;
+ }
if ((int)prop[1] != NUM_EQ_BANDS) {
p->status = -EINVAL;
break;