Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e981cca9 authored by rago's avatar rago Committed by Ricardo Garcia
Browse files

Fix security vulnerability: Equalizer command might allow negative indexes 

Bug: 32247948
Bug: 32438598
Bug: 32436341

Test: use POC on bug or cts security test

Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3
(cherry picked from commit 0872b65c)
parent 2c28e5b1

media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

+15 −3
Original line number Original line Diff line number Diff line
@@ -2072,8 +2072,12 @@ int Equalizer_getParameter(EffectContext *pContext, 




    case EQ_PARAM_BAND_LEVEL:

    case EQ_PARAM_BAND_LEVEL:

        param2 = *pParamTemp;

        param2 = *pParamTemp;

        if (param2 >= FIVEBAND_NUMBANDS) {

        if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {

            status = -EINVAL;

            status = -EINVAL;

            if (param2 < 0) {

                android_errorWriteLog(0x534e4554, "32438598");

                ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_LEVEL band %d", param2);

            }

            break;

            break;

        }

        }

        *(int16_t *)pValue = (int16_t)EqualizerGetBandLevel(pContext, param2);

        *(int16_t *)pValue = (int16_t)EqualizerGetBandLevel(pContext, param2);
@@ -2083,8 +2087,12 @@ int Equalizer_getParameter(EffectContext *pContext, 




    case EQ_PARAM_CENTER_FREQ:

    case EQ_PARAM_CENTER_FREQ:

        param2 = *pParamTemp;

        param2 = *pParamTemp;

        if (param2 >= FIVEBAND_NUMBANDS) {

        if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {

            status = -EINVAL;

            status = -EINVAL;

            if (param2 < 0) {

                android_errorWriteLog(0x534e4554, "32436341");

                ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_CENTER_FREQ band %d", param2);

            }

            break;

            break;

        }

        }

        *(int32_t *)pValue = EqualizerGetCentreFrequency(pContext, param2);

        *(int32_t *)pValue = EqualizerGetCentreFrequency(pContext, param2);
@@ -2094,8 +2102,12 @@ int Equalizer_getParameter(EffectContext *pContext, 




    case EQ_PARAM_BAND_FREQ_RANGE:

    case EQ_PARAM_BAND_FREQ_RANGE:

        param2 = *pParamTemp;

        param2 = *pParamTemp;

        if (param2 >= FIVEBAND_NUMBANDS) {

        if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {

            status = -EINVAL;

            status = -EINVAL;

            if (param2 < 0) {

                android_errorWriteLog(0x534e4554, "32247948");

                ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_FREQ_RANGE band %d", param2);

            }

            break;

            break;

        }

        }

        EqualizerGetBandFreqRange(pContext, param2, (uint32_t *)pValue, ((uint32_t *)pValue + 1));

        EqualizerGetBandFreqRange(pContext, param2, (uint32_t *)pValue, ((uint32_t *)pValue + 1));