Merge "DO NOT MERGE Fix AudioEffect reply overflow" into mnc-dev am: e29e934c6e am: a95c6afecb
am: a17042b108
* commit 'a17042b10868b60b0f34dfe41a867b76e96a5adc':
DO NOT MERGE Fix AudioEffect reply overflow
Change-Id: Ic6a4840abe0e8cac3dae5be5f537412c7dd5c5a4
diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index a6b0727..df327ab 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c
@@ -621,8 +621,9 @@
if (pCmdData == NULL ||
cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
pReplyData == NULL ||
- *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
- sizeof(uint16_t))) {
+ *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+ // constrain memcpy below
+ ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
status = -EINVAL;
ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
cmdSize, *replySize);
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index b3f97c6..7d2b592 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c
@@ -560,7 +560,9 @@
if (pCmdData == NULL ||
cmdSize < (int)sizeof(effect_param_t) ||
pReplyData == NULL ||
- *replySize < (int)sizeof(effect_param_t)) {
+ *replySize < (int)sizeof(effect_param_t) ||
+ // constrain memcpy below
+ ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
return -EINVAL;
}