Merge "DO NOT MERGE Fix AudioEffect reply overflow" into mnc-dev am: e29e934c6e am: a95c6afecb
am: a17042b108

* commit 'a17042b10868b60b0f34dfe41a867b76e96a5adc':
  DO NOT MERGE Fix AudioEffect reply overflow

Change-Id: Ic6a4840abe0e8cac3dae5be5f537412c7dd5c5a4
diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index a6b0727..df327ab 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c
@@ -621,8 +621,9 @@
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index b3f97c6..7d2b592 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c
@@ -560,7 +560,9 @@
             if (pCmdData == NULL ||
                     cmdSize < (int)sizeof(effect_param_t) ||
                     pReplyData == NULL ||
-                    *replySize < (int)sizeof(effect_param_t)) {
+                    *replySize < (int)sizeof(effect_param_t) ||
+                    // constrain memcpy below
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
                 ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
                 return -EINVAL;
             }