Fix security vulnerability: Effect command might allow negative indexes am: 500a9feaf8 am: 10428159a9 am: 4e9838e753 am: 1005f6ad72 am: a0a7214a5b am: e9544ba584 am: 12ae707c0b am: 45a20393fe am: 6ba74b8016 am: 04290dd042 am: c172b5dced am: b258e80034
am: 6d3da03aa8
Change-Id: I181dbc6abd97b28a1b7af856d4a2d32454a847c3
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index 126d1f1..c3a438f 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -325,9 +325,14 @@
ALOGV("%s: EQ_PARAM_GET_PRESET_NAME", __func__);
param2 = *param_tmp;
ALOGV("param2: %d", param2);
- if (param2 >= equalizer_get_num_presets(eq_ctxt)) {
- p->status = -EINVAL;
- break;
+ if ((param2 < 0 && param2 != PRESET_CUSTOM) ||
+ param2 >= equalizer_get_num_presets(eq_ctxt)) {
+ p->status = -EINVAL;
+ if (param2 < 0) {
+ android_errorWriteLog(0x534e4554, "32588016");
+ ALOGW("\tERROR EQ_PARAM_GET_PRESET_NAME preset %d", param2);
+ }
+ break;
}
name = (char *)value;
strlcpy(name, equalizer_get_preset_name(eq_ctxt, param2), p->vsize - 1);
@@ -385,8 +390,12 @@
ALOGV("EQ_PARAM_BAND_LEVEL");
band = *param_tmp;
level = (int32_t)(*(int16_t *)value);
- if (band >= NUM_EQ_BANDS) {
- p->status = -EINVAL;
+ if (band < 0 || band >= NUM_EQ_BANDS) {
+ p->status = -EINVAL;
+ if (band < 0) {
+ android_errorWriteLog(0x534e4554, "32585400");
+ ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", band);
+ }
break;
}
equalizer_set_band_level(eq_ctxt, band, level);