Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad1bd92a authored by Eric Laurent's avatar Eric Laurent
Browse files

fix possible overflow in effect wrappers. 

Add checks on parameter size field in effect command handlers
to avoid overflow leading to invalid comparison with min allowed
size for command and reply buffers.

Bug: 26347509.
Change-Id: I20e6a9b6de8e5172b957caa1ac9410b9752efa4d
parent a3e696da

media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

+4 −1
Original line number Diff line number Diff line
@@ -3097,7 +3097,10 @@ int Effect_command(effect_handle_t self, 
            //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");



            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||

media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp

+4 −1
Original line number Diff line number Diff line
@@ -1956,7 +1956,10 @@ int Reverb_command(effect_handle_t self, 
            //ALOGV("\tReverb_command cmdCode Case: "

            //        "EFFECT_CMD_GET_PARAM start");

            effect_param_t *p = (effect_param_t *)pCmdData;



            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||