Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 955bedff authored by Eric Laurent's avatar Eric Laurent Committed by Michael Bestas
Browse files

fix possible overflow in effect wrappers. 

Add checks on parameter size field in effect command handlers
to avoid overflow leading to invalid comparison with min allowed
size for command and reply buffers.

Bug: 26347509.
Change-Id: I20e6a9b6de8e5172b957caa1ac9410b9752efa4d
(cherry picked from commit ad1bd92a)
(cherry picked from commit 9e29523b)
parent ae87c002

media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

+4 −1
Original line number Diff line number Diff line
@@ -2819,7 +2819,10 @@ int Effect_command(effect_handle_t self, 
            //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");



            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||

media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp

+4 −1
Original line number Diff line number Diff line
@@ -1953,7 +1953,10 @@ int Reverb_command(effect_handle_t self, 
            //ALOGV("\tReverb_command cmdCode Case: "

            //        "EFFECT_CMD_GET_PARAM start");

            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||