Loading media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +21 −6 Original line number Original line Diff line number Diff line Loading @@ -3117,10 +3117,6 @@ int Effect_command(effect_handle_t self, //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); effect_param_t *p = (effect_param_t *)pCmdData; effect_param_t *p = (effect_param_t *)pCmdData; if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { android_errorWriteLog(0x534e4554, "26347509"); return -EINVAL; } if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || cmdSize < (sizeof(effect_param_t) + p->psize) || cmdSize < (sizeof(effect_param_t) + p->psize) || pReplyData == NULL || replySize == NULL || pReplyData == NULL || replySize == NULL || Loading @@ -3128,13 +3124,32 @@ int Effect_command(effect_handle_t self, ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; return -EINVAL; } } if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { android_errorWriteLog(0x534e4554, "26347509"); ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big"); return -EINVAL; } uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) * sizeof(int32_t); if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) || (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize < p->vsize)) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big"); return -EINVAL; } uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize; if (*replySize < expectedReplySize) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes", expectedReplySize, *replySize); android_errorWriteLog(0x534e4554, "32705438"); return -EINVAL; } memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); p = (effect_param_t *)pReplyData; p = (effect_param_t *)pReplyData; int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); uint32_t voffset = paddedParamSize; if(pContext->EffectType == LVM_BASS_BOOST){ if(pContext->EffectType == LVM_BASS_BOOST){ p->status = android::BassBoost_getParameter(pContext, p->status = android::BassBoost_getParameter(pContext, p->data, p->data, Loading media/libmedia/IEffect.cpp +12 −0 Original line number Original line Diff line number Diff line Loading @@ -25,6 +25,9 @@ namespace android { namespace android { // Maximum command/reply size expected #define EFFECT_PARAM_SIZE_MAX 65536 enum { enum { ENABLE = IBinder::FIRST_CALL_TRANSACTION, ENABLE = IBinder::FIRST_CALL_TRANSACTION, DISABLE, DISABLE, Loading Loading @@ -156,6 +159,10 @@ status_t BnEffect::onTransact( uint32_t cmdSize = data.readInt32(); uint32_t cmdSize = data.readInt32(); char *cmd = NULL; char *cmd = NULL; if (cmdSize) { if (cmdSize) { if (cmdSize > EFFECT_PARAM_SIZE_MAX) { reply->writeInt32(NO_MEMORY); return NO_ERROR; } cmd = (char *)calloc(cmdSize, 1); cmd = (char *)calloc(cmdSize, 1); if (cmd == NULL) { if (cmd == NULL) { reply->writeInt32(NO_MEMORY); reply->writeInt32(NO_MEMORY); Loading @@ -167,6 +174,11 @@ status_t BnEffect::onTransact( uint32_t replySz = replySize; uint32_t replySz = replySize; char *resp = NULL; char *resp = NULL; if (replySize) { if (replySize) { if (replySize > EFFECT_PARAM_SIZE_MAX) { free(cmd); reply->writeInt32(NO_MEMORY); return NO_ERROR; } resp = (char *)calloc(replySize, 1); resp = (char *)calloc(replySize, 1); if (resp == NULL) { if (resp == NULL) { free(cmd); free(cmd); Loading services/audioflinger/Effects.cpp +16 −0 Original line number Original line Diff line number Diff line Loading @@ -607,6 +607,22 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, android_errorWriteLog(0x534e4554, "32438594"); android_errorWriteLog(0x534e4554, "32438594"); return -EINVAL; return -EINVAL; } } if (cmdCode == EFFECT_CMD_GET_PARAM && (sizeof(effect_param_t) > *replySize || ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) || ((effect_param_t *)pCmdData)->vsize > *replySize - sizeof(effect_param_t) - ((effect_param_t *)pCmdData)->psize || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) > *replySize - sizeof(effect_param_t) - ((effect_param_t *)pCmdData)->psize - ((effect_param_t *)pCmdData)->vsize)) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: reply size inconsistent"); android_errorWriteLog(0x534e4554, "32705438"); return -EINVAL; } if ((cmdCode == EFFECT_CMD_SET_PARAM if ((cmdCode == EFFECT_CMD_SET_PARAM || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used (sizeof(effect_param_t) > cmdSize (sizeof(effect_param_t) > cmdSize Loading Loading
media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +21 −6 Original line number Original line Diff line number Diff line Loading @@ -3117,10 +3117,6 @@ int Effect_command(effect_handle_t self, //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); effect_param_t *p = (effect_param_t *)pCmdData; effect_param_t *p = (effect_param_t *)pCmdData; if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { android_errorWriteLog(0x534e4554, "26347509"); return -EINVAL; } if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || cmdSize < (sizeof(effect_param_t) + p->psize) || cmdSize < (sizeof(effect_param_t) + p->psize) || pReplyData == NULL || replySize == NULL || pReplyData == NULL || replySize == NULL || Loading @@ -3128,13 +3124,32 @@ int Effect_command(effect_handle_t self, ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; return -EINVAL; } } if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { android_errorWriteLog(0x534e4554, "26347509"); ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big"); return -EINVAL; } uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) * sizeof(int32_t); if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) || (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize < p->vsize)) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big"); return -EINVAL; } uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize; if (*replySize < expectedReplySize) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes", expectedReplySize, *replySize); android_errorWriteLog(0x534e4554, "32705438"); return -EINVAL; } memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); p = (effect_param_t *)pReplyData; p = (effect_param_t *)pReplyData; int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); uint32_t voffset = paddedParamSize; if(pContext->EffectType == LVM_BASS_BOOST){ if(pContext->EffectType == LVM_BASS_BOOST){ p->status = android::BassBoost_getParameter(pContext, p->status = android::BassBoost_getParameter(pContext, p->data, p->data, Loading
media/libmedia/IEffect.cpp +12 −0 Original line number Original line Diff line number Diff line Loading @@ -25,6 +25,9 @@ namespace android { namespace android { // Maximum command/reply size expected #define EFFECT_PARAM_SIZE_MAX 65536 enum { enum { ENABLE = IBinder::FIRST_CALL_TRANSACTION, ENABLE = IBinder::FIRST_CALL_TRANSACTION, DISABLE, DISABLE, Loading Loading @@ -156,6 +159,10 @@ status_t BnEffect::onTransact( uint32_t cmdSize = data.readInt32(); uint32_t cmdSize = data.readInt32(); char *cmd = NULL; char *cmd = NULL; if (cmdSize) { if (cmdSize) { if (cmdSize > EFFECT_PARAM_SIZE_MAX) { reply->writeInt32(NO_MEMORY); return NO_ERROR; } cmd = (char *)calloc(cmdSize, 1); cmd = (char *)calloc(cmdSize, 1); if (cmd == NULL) { if (cmd == NULL) { reply->writeInt32(NO_MEMORY); reply->writeInt32(NO_MEMORY); Loading @@ -167,6 +174,11 @@ status_t BnEffect::onTransact( uint32_t replySz = replySize; uint32_t replySz = replySize; char *resp = NULL; char *resp = NULL; if (replySize) { if (replySize) { if (replySize > EFFECT_PARAM_SIZE_MAX) { free(cmd); reply->writeInt32(NO_MEMORY); return NO_ERROR; } resp = (char *)calloc(replySize, 1); resp = (char *)calloc(replySize, 1); if (resp == NULL) { if (resp == NULL) { free(cmd); free(cmd); Loading
services/audioflinger/Effects.cpp +16 −0 Original line number Original line Diff line number Diff line Loading @@ -607,6 +607,22 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, android_errorWriteLog(0x534e4554, "32438594"); android_errorWriteLog(0x534e4554, "32438594"); return -EINVAL; return -EINVAL; } } if (cmdCode == EFFECT_CMD_GET_PARAM && (sizeof(effect_param_t) > *replySize || ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) || ((effect_param_t *)pCmdData)->vsize > *replySize - sizeof(effect_param_t) - ((effect_param_t *)pCmdData)->psize || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) > *replySize - sizeof(effect_param_t) - ((effect_param_t *)pCmdData)->psize - ((effect_param_t *)pCmdData)->vsize)) { ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: reply size inconsistent"); android_errorWriteLog(0x534e4554, "32705438"); return -EINVAL; } if ((cmdCode == EFFECT_CMD_SET_PARAM if ((cmdCode == EFFECT_CMD_SET_PARAM || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used (sizeof(effect_param_t) > cmdSize (sizeof(effect_param_t) > cmdSize Loading
