audio-hal: AudioEffect reply overflow Adding checks to avoid audio effect reply overflow. Change-Id: Ib23427940fb1127439a97992b0c50e48edd4ec0a

commit: 9b508a7444c37b8674ab60a2838f05d0137733e9 [log] [tgz]
author: Lakshman Chaluvaraju <quic_lchalu@quicinc.com> Fri Sep 09 10:59:41 2022 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Wed Feb 01 20:54:28 2023 -0800
tree: 1c105d87aa6a93a2595c230edc70a3a3ab7fc5bc
parent: 63a1e8367a8cd0c1352369076bce803712100911 [diff] [blame]
diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index 0dbf27b..a9f95b9 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c

@@ -2,6 +2,8 @@
  * Copyright (c) 2013-2017, 2019, The Linux Foundation. All rights reserved.
  * Not a Contribution.
  *
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ *
  * Copyright (C) 2013 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -847,7 +849,8 @@
             pReplyData == NULL ||
             *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
             // constrain memcpy below
-            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) ||
+            ((effect_param_t *)pCmdData)->psize > cmdSize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);
commit	9b508a7444c37b8674ab60a2838f05d0137733e9	[log] [tgz]
author	Lakshman Chaluvaraju <quic_lchalu@quicinc.com>	Fri Sep 09 10:59:41 2022 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Wed Feb 01 20:54:28 2023 -0800
tree	1c105d87aa6a93a2595c230edc70a3a3ab7fc5bc
parent	63a1e8367a8cd0c1352369076bce803712100911 [diff] [blame]