DO NOT MERGE Fix AudioEffect reply overflow Bug: 28173666 Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02 (cherry picked from commit 57fd9637536d40ec8c40a6bed76a71471dab0f64)

commit: eae4d565486bb12c50f7ad4a5a0403935ea5b03a [log] [tgz]
author: Andy Hung <hunga@google.com> Thu Apr 28 13:43:44 2016 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Thu Aug 04 10:20:10 2016 -0700
tree: f967cabdb47ae242a329ec481bcb4c887ed84c7b
parent: 8f0306eb2b13d14f02f83aa438a690ba28cfcbda [diff]
diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index 464bc0d..fd5ee8c 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c

@@ -852,8 +852,9 @@
         if (pCmdData == NULL ||
             cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
             pReplyData == NULL ||
-            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) +
-                               sizeof(uint16_t))) {
+            *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
+            // constrain memcpy below
+            ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
             status = -EINVAL;
             ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
                   cmdSize, *replySize);
commit	eae4d565486bb12c50f7ad4a5a0403935ea5b03a	[log] [tgz]
author	Andy Hung <hunga@google.com>	Thu Apr 28 13:43:44 2016 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Thu Aug 04 10:20:10 2016 -0700
tree	f967cabdb47ae242a329ec481bcb4c887ed84c7b
parent	8f0306eb2b13d14f02f83aa438a690ba28cfcbda [diff]