audio-hal: AudioEffect reply overflow Adding checks to avoid audio effect reply overflow. Change-Id: Ib23427940fb1127439a97992b0c50e48edd4ec0a

commit: 9b508a7444c37b8674ab60a2838f05d0137733e9 [log] [tgz]
author: Lakshman Chaluvaraju <quic_lchalu@quicinc.com> Fri Sep 09 10:59:41 2022 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Wed Feb 01 20:54:28 2023 -0800
tree: 1c105d87aa6a93a2595c230edc70a3a3ab7fc5bc
parent: 63a1e8367a8cd0c1352369076bce803712100911 [diff] [blame]
diff --git a/visualizer/offload_visualizer.c b/visualizer/offload_visualizer.c
index 65b5938..e2b6f59 100644
--- a/visualizer/offload_visualizer.c
+++ b/visualizer/offload_visualizer.c

@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2013 The Android Open Source Project
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -1321,7 +1322,10 @@
         if (pCmdData == NULL ||
             cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) ||
+            ((effect_param_t *)pCmdData)->psize > cmdSize - sizeof(effect_param_t)) {
             status = -EINVAL;
             goto exit;
         }
commit	9b508a7444c37b8674ab60a2838f05d0137733e9	[log] [tgz]
author	Lakshman Chaluvaraju <quic_lchalu@quicinc.com>	Fri Sep 09 10:59:41 2022 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Wed Feb 01 20:54:28 2023 -0800
tree	1c105d87aa6a93a2595c230edc70a3a3ab7fc5bc
parent	63a1e8367a8cd0c1352369076bce803712100911 [diff] [blame]