Merge "Fix security vulnerability: Equalizer setParameter memory overflow" into klp-dev am: ef3a4aead0 am: 0ef6d9c121 am: 966e572c69 am: 1f7d80772c am: a7e658fcca am: 6d2092f734 am: 6447404db3 am: 8693c57563 am: 25e3a40344 am: 51789f19de am: 7ba7584303 am: 5304cbcee8 am: 798dba38c4 am: fdd5f801f5
am: cdc2e0a0d8
Change-Id: I9bcbd28defbddbc323f86cdb4e3f0d57c6518625
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 924367d..df6501b 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -148,7 +148,10 @@
void *pParam,
uint32_t *pValueSize,
void *pValue);
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue);
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue);
int Equalizer_getParameter (EffectContext *pContext,
void *pParam,
uint32_t *pValueSize,
@@ -2475,12 +2478,17 @@
// Inputs:
// pEqualizer - handle to instance data
// pParam - pointer to parameter
+// valueSize - value size
// pValue - pointer to value
+
//
// Outputs:
//
//----------------------------------------------------------------------------
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue){
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue) {
int status = 0;
int32_t preset;
int32_t band;
@@ -2492,6 +2500,10 @@
//ALOGV("\tEqualizer_setParameter start");
switch (param) {
case EQ_PARAM_CUR_PRESET:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
preset = (int32_t)(*(uint16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_CUR_PRESET %d", preset);
@@ -2502,6 +2514,10 @@
EqualizerSetPreset(pContext, preset);
break;
case EQ_PARAM_BAND_LEVEL:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
band = *pParamTemp;
level = (int32_t)(*(int16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
@@ -2517,6 +2533,10 @@
break;
case EQ_PARAM_PROPERTIES: {
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_PROPERTIES");
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
int16_t *p = (int16_t *)pValue;
if ((int)p[0] >= EqualizerGetNumPresets()) {
status = -EINVAL;
@@ -2525,6 +2545,13 @@
if (p[0] >= 0) {
EqualizerSetPreset(pContext, (int)p[0]);
} else {
+ if (valueSize < (2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)) {
+ android_errorWriteLog(0x534e4554, "37563371");
+ ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_PROPERTIES valueSize %d < %d",
+ (int)valueSize, (int)((2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)));
+ status = -EINVAL;
+ break;
+ }
if ((int)p[1] != FIVEBAND_NUMBANDS) {
status = -EINVAL;
break;
@@ -3297,7 +3324,8 @@
*(int *)pReplyData = android::Equalizer_setParameter(pContext,
(void *)p->data,
- p->data + p->psize);
+ p->vsize,
+ p->data + p->psize);
}
if(pContext->EffectType == LVM_VOLUME){
//ALOGV("\tVolume_command cmdCode Case: EFFECT_CMD_SET_PARAM start");