Gitiles
Code Review Sign In
review.blissroms.org / platform_hardware_qcom_audio / dad992a9298b90dcea3cfb3a9d2d2ed9fd55d416^1..dad992a9298b90dcea3cfb3a9d2d2ed9fd55d416 / .
commitdad992a9298b90dcea3cfb3a9d2d2ed9fd55d416[log] [tgz]
authorandroid-build-team Robot <android-build-team-robot@google.com>Wed Jun 07 07:47:10 2017 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>Wed Jun 07 07:47:10 2017 +0000
tree90fb5bc1df301252d1dcf52646e915d14ce0c1b7
parent871e20e7069be22a6b153e0dddfe717986ceb3d3 [diff]
parentd3448da042e991a6feac53764c72ce075fe7835f [diff]
release-request-224b654d-e3ad-4f05-a95d-d10d1516b3f6-for-git_oc-release-4075622 snap-temp-L17600000071371496

Change-Id: Iff1c7d28d2a73fe8a6af9106f275dd0ec7fb65b7

diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index a8e5d1f..f7d6152 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c

@@ -334,6 +334,13 @@
                 }
                 break;
         }
+
+        if (p->vsize < 1) {
+            p->status = -EINVAL;
+            android_errorWriteLog(0x534e4554, "37536407");
+            break;
+        }
+
         name = (char *)value;
         strlcpy(name, equalizer_get_preset_name(eq_ctxt, param2), p->vsize - 1);
         name[p->vsize - 1] = 0;
@@ -364,6 +371,7 @@
     equalizer_context_t *eq_ctxt = (equalizer_context_t *)context;
     int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
     void *value = p->data + voffset;
+    int32_t vsize = (int32_t) p->vsize;
     int32_t *param_tmp = (int32_t *)p->data;
     int32_t param = *param_tmp++;
     int32_t preset;
@@ -378,6 +386,10 @@
     switch (param) {
     case EQ_PARAM_CUR_PRESET:
 	ALOGV("EQ_PARAM_CUR_PRESET");
+        if (vsize < sizeof(int16_t)) {
+           p->status = -EINVAL;
+           break;
+        }
         preset = (int32_t)(*(uint16_t *)value);
 
         if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) {
@@ -388,6 +400,10 @@
         break;
     case EQ_PARAM_BAND_LEVEL:
 	ALOGV("EQ_PARAM_BAND_LEVEL");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         band =  *param_tmp;
         level = (int32_t)(*(int16_t *)value);
         if (band < 0 || band >= NUM_EQ_BANDS) {
@@ -402,6 +418,10 @@
         break;
     case EQ_PARAM_PROPERTIES: {
 	ALOGV("EQ_PARAM_PROPERTIES");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         int16_t *prop = (int16_t *)value;
         if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) {
             p->status = -EINVAL;
@@ -410,6 +430,13 @@
         if (prop[0] >= 0) {
             equalizer_set_preset(eq_ctxt, (int)prop[0]);
         } else {
+            if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) {
+                android_errorWriteLog(0x534e4554, "37563371");
+                ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d",
+                                  vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t));
+                p->status = -EINVAL;
+                break;
+            }
             if ((int)prop[1] != NUM_EQ_BANDS) {
                 p->status = -EINVAL;
                 break;