audio effects: fix heap overflow

Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 Signed-off-by: Eric Laurent <elaurent@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
author: Eric Laurent <elaurent@google.com> 2015-06-19 15:33:57 -0700
committer: Paul Kocialkowski <contact@paulk.fr> 2015-08-31 00:00:21 +0200
commit: 353b4e92b3494589f13d5632b3e5c333bdacd730 (patch)
tree: 05f71881878a7c9ea59ca86c41d7448f10880ff8 /media/libeffects/downmix/EffectDownmix.c
parent: 229bb7f982908feea6bf0d13eede5918f6377eb7 (diff)
download: frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.zip
frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.gz
frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.bz2
1 files changed, 9 insertions, 9 deletions
diff --git a/media/libeffects/downmix/EffectDownmix.c b/media/libeffects/downmix/EffectDownmix.c
index 5bf052a..ce1181c 100644
--- a/media/libeffects/downmix/EffectDownmix.c
+++ b/media/libeffects/downmix/EffectDownmix.c
@@ -179,8 +179,8 @@ int32_t DownmixLib_QueryEffect(uint32_t index, effect_descriptor_t *pDescriptor)
 
 
 int32_t DownmixLib_Create(const effect_uuid_t *uuid,
-        int32_t sessionId,
-        int32_t ioId,
+        int32_t sessionId __unused,
+        int32_t ioId __unused,
         effect_handle_t *pHandle) {
     int ret;
     int i;
@@ -403,7 +403,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
 
     switch (cmdCode) {
     case EFFECT_CMD_INIT:
-        if (pReplyData == NULL || *replySize != sizeof(int)) {
+        if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) {
             return -EINVAL;
         }
         *(int *) pReplyData = Downmix_Init(pDwmModule);
@@ -411,7 +411,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
 
     case EFFECT_CMD_SET_CONFIG:
         if (pCmdData == NULL || cmdSize != sizeof(effect_config_t)
-                || pReplyData == NULL || *replySize != sizeof(int)) {
+                || pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) {
             return -EINVAL;
         }
         *(int *) pReplyData = Downmix_Configure(pDwmModule,
@@ -426,7 +426,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
         ALOGV("Downmix_Command EFFECT_CMD_GET_PARAM pCmdData %p, *replySize %d, pReplyData: %p",
                 pCmdData, *replySize, pReplyData);
         if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) ||
-                pReplyData == NULL ||
+                pReplyData == NULL || replySize == NULL ||
                 *replySize < (int) sizeof(effect_param_t) + 2 * sizeof(int32_t)) {
             return -EINVAL;
         }
@@ -443,7 +443,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
         ALOGV("Downmix_Command EFFECT_CMD_SET_PARAM cmdSize %d pCmdData %p, *replySize %d, " \
                 "pReplyData %p", cmdSize, pCmdData, *replySize, pReplyData);
         if (pCmdData == NULL || (cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)))
-                || pReplyData == NULL || *replySize != (int)sizeof(int32_t)) {
+                || pReplyData == NULL || replySize == NULL || *replySize != (int)sizeof(int32_t)) {
             return -EINVAL;
         }
         effect_param_t *cmd = (effect_param_t *) pCmdData;
@@ -462,7 +462,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
         break;
 
     case EFFECT_CMD_ENABLE:
-        if (pReplyData == NULL || *replySize != sizeof(int)) {
+        if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) {
             return -EINVAL;
         }
         if (pDownmixer->state != DOWNMIX_STATE_INITIALIZED) {
@@ -474,7 +474,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS
         break;
 
     case EFFECT_CMD_DISABLE:
-        if (pReplyData == NULL || *replySize != sizeof(int)) {
+        if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) {
             return -EINVAL;
         }
         if (pDownmixer->state != DOWNMIX_STATE_ACTIVE) {
@@ -689,7 +689,7 @@ int Downmix_Configure(downmix_module_t *pDwmModule, effect_config_t *pConfig, bo
  *----------------------------------------------------------------------------
  */
 
-int Downmix_Reset(downmix_object_t *pDownmixer, bool init) {
+int Downmix_Reset(downmix_object_t *pDownmixer __unused, bool init __unused) {
     // nothing to do here
     return 0;
 }
author	Eric Laurent <elaurent@google.com>	2015-06-19 15:33:57 -0700
committer	Paul Kocialkowski <contact@paulk.fr>	2015-08-31 00:00:21 +0200
commit	353b4e92b3494589f13d5632b3e5c333bdacd730 (patch)
tree	05f71881878a7c9ea59ca86c41d7448f10880ff8 /media/libeffects/downmix/EffectDownmix.c
parent	229bb7f982908feea6bf0d13eede5918f6377eb7 (diff)
download	frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.zip frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.gz frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.bz2