Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9e29523b authored by Eric Laurent's avatar Eric Laurent
Browse files

fix possible overflow in effect wrappers. 

Add checks on parameter size field in effect command handlers
to avoid overflow leading to invalid comparison with min allowed
size for command and reply buffers.

Bug: 26347509.
Change-Id: I20e6a9b6de8e5172b957caa1ac9410b9752efa4d
(cherry picked from commit ad1bd92a)
parent 3d6a7149

media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

+4 −1
Original line number Diff line number Diff line
@@ -2809,7 +2809,10 @@ int Effect_command(effect_handle_t self, 
            //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");



            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||

media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp

+4 −1
Original line number Diff line number Diff line
@@ -1953,7 +1953,10 @@ int Reverb_command(effect_handle_t self, 
            //ALOGV("\tReverb_command cmdCode Case: "

            //        "EFFECT_CMD_GET_PARAM start");

            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||