Gitiles
Code Review Sign In
review.blissroms.org / platform_hardware_qcom_audio / ba5a77d72a7670826c6d73eead4466fd49d50a0f^1..ba5a77d72a7670826c6d73eead4466fd49d50a0f / .
commitba5a77d72a7670826c6d73eead4466fd49d50a0f[log] [tgz]
authorAndy Hung <hunga@google.com>Mon May 16 22:05:13 2016 +0000
committerandroid-build-merger <android-build-merger@google.com>Mon May 16 22:05:13 2016 +0000
treee2a3891e1866db5486b1ca1b74cb462c02594e92
parent083f301c090b4fb91dd40be51e5cd2137054771d [diff]
parenta17042b10868b60b0f34dfe41a867b76e96a5adc [diff]
Merge "DO NOT MERGE Fix AudioEffect reply overflow" into mnc-dev am: e29e934c6e am: a95c6afecb
am: a17042b108

* commit 'a17042b10868b60b0f34dfe41a867b76e96a5adc':
  DO NOT MERGE Fix AudioEffect reply overflow

Change-Id: Ic6a4840abe0e8cac3dae5be5f537412c7dd5c5a4

diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index a6b0727..df327ab 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c

@@ -621,8 +621,9 @@
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);

diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index b3f97c6..7d2b592 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c

@@ -560,7 +560,9 @@
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }