Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7e9fbb8f authored by rago's avatar rago Committed by Bruno Martins
Browse files

Fix security vulnerability: Effect command might allow negative indexes 

Bug: 32588016
Bug: 32585400

Test: Use POC bug or cts security test
Change-Id: I5ef8c756369d488ad5903c163584f24de63d73e3
(cherry picked from commit 500a9fea)
parent 18e680df

post_proc/equalizer.c

+14 −5
Original line number Diff line number Diff line
@@ -308,8 +308,13 @@ int equalizer_get_parameter(effect_context_t *context, effect_param_t *p, 
    case EQ_PARAM_GET_PRESET_NAME:

        param2 = *param_tmp;

        ALOGV("%s: EQ_PARAM_GET_PRESET_NAME: param2: %d", __func__, param2);

        if (param2 >= equalizer_get_num_presets(eq_ctxt)) {

        if ((param2 < 0 && param2 != PRESET_CUSTOM) ||

            param2 >= equalizer_get_num_presets(eq_ctxt)) {

                p->status = -EINVAL;

                if (param2 < 0) {

                    android_errorWriteLog(0x534e4554, "32588016");

                    ALOGW("\tERROR EQ_PARAM_GET_PRESET_NAME preset %d", param2);

                }

                break;

        }

        name = (char *)value;
@@ -365,8 +370,12 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p, 
    case EQ_PARAM_BAND_LEVEL:

        band =  *param_tmp;

        level = (int32_t)(*(int16_t *)value);

        if (band >= NUM_EQ_BANDS) {

        if (band < 0 || band >= NUM_EQ_BANDS) {

            p->status = -EINVAL;

            if (band < 0) {

                android_errorWriteLog(0x534e4554, "32585400");

                ALOGW("\tERROR EQ_PARAM_BAND_LEVEL band %d", band);

            }

            break;

        }

        equalizer_set_band_level(eq_ctxt, band, level);