Add EFFECT_CMD_SET_PARAM parameter checking

Bug: 30204301 Change-Id: Ib9c3ee1c2f23c96f8f7092dd9e146bc453d7a290 (cherry picked from commit e4a1d91501d47931dbae19c47815952378787ab6)
author: Andy Hung <hunga@google.com> 2016-08-17 14:11:13 -0700
committer: gitbuildkicker <android-build@google.com> 2016-08-25 21:56:09 -0700
commit: 497fcd71dd221dd2ccf6b32127ece5ec43c8660e (patch)
tree: a5e3c4c31e3b8c445fb44a480aa190978b0b6e8f
parent: 4d96096488a9e5b0a65638f93e71b79bee80e760 (diff)
download: frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.zip
frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.tar.gz
frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.tar.bz2
1 files changed, 23 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index eb52dee..f87b8f5 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -543,6 +543,13 @@ status_t AudioFlinger::EffectModule::remove_effect_from_hal_l()
     return NO_ERROR;
 }
 
+// round up delta valid if value and divisor are positive.
+template <typename T>
+static T roundUpDelta(const T &value, const T &divisor) {
+    T remainder = value % divisor;
+    return remainder == 0 ? 0 : divisor - remainder;
+}
+
 status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
                                              uint32_t cmdSize,
                                              void *pCmdData,
@@ -564,6 +571,22 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
         android_errorWriteLog(0x534e4554, "29251553");
         return -EINVAL;
     }
+    if ((cmdCode == EFFECT_CMD_SET_PARAM
+            || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) &&  // DEFERRED not generally used
+        (sizeof(effect_param_t) > cmdSize
+            || ((effect_param_t *)pCmdData)->psize > cmdSize
+                                                     - sizeof(effect_param_t)
+            || ((effect_param_t *)pCmdData)->vsize > cmdSize
+                                                     - sizeof(effect_param_t)
+                                                     - ((effect_param_t *)pCmdData)->psize
+            || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) >
+                                                     cmdSize
+                                                     - sizeof(effect_param_t)
+                                                     - ((effect_param_t *)pCmdData)->psize
+                                                     - ((effect_param_t *)pCmdData)->vsize)) {
+        android_errorWriteLog(0x534e4554, "30204301");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
author	Andy Hung <hunga@google.com>	2016-08-17 14:11:13 -0700
committer	gitbuildkicker <android-build@google.com>	2016-08-25 21:56:09 -0700
commit	497fcd71dd221dd2ccf6b32127ece5ec43c8660e (patch)
tree	a5e3c4c31e3b8c445fb44a480aa190978b0b6e8f
parent	4d96096488a9e5b0a65638f93e71b79bee80e760 (diff)
download	frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.zip frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.tar.gz frameworks_av-497fcd71dd221dd2ccf6b32127ece5ec43c8660e.tar.bz2