audio effects: fix heap overflow

Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 Signed-off-by: Eric Laurent <elaurent@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
author: Eric Laurent <elaurent@google.com> 2015-06-19 15:33:57 -0700
committer: Paul Kocialkowski <contact@paulk.fr> 2015-08-31 00:00:21 +0200
commit: 353b4e92b3494589f13d5632b3e5c333bdacd730 (patch)
tree: 05f71881878a7c9ea59ca86c41d7448f10880ff8 /media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
parent: 229bb7f982908feea6bf0d13eede5918f6377eb7 (diff)
download: frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.zip
frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.gz
frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.bz2
1 files changed, 14 insertions, 16 deletions
diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
index 941d651..613d026 100755
--- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
+++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
@@ -212,8 +212,8 @@ extern "C" int EffectQueryEffect(uint32_t index,
 }     /* end EffectQueryEffect */
 
 extern "C" int EffectCreate(const effect_uuid_t *uuid,
-                            int32_t             sessionId,
-                            int32_t             ioId,
+                            int32_t             sessionId __unused,
+                            int32_t             ioId __unused,
                             effect_handle_t  *pHandle){
     int ret;
     int i;
@@ -1936,7 +1936,7 @@ int Reverb_command(effect_handle_t  self,
             //ALOGV("\tReverb_command cmdCode Case: "
             //        "EFFECT_CMD_INIT start");
 
-            if (pReplyData == NULL || *replySize != sizeof(int)){
+            if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){
                 ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: "
                         "EFFECT_CMD_INIT: ERROR");
                 return -EINVAL;
@@ -1947,10 +1947,8 @@ int Reverb_command(effect_handle_t  self,
         case EFFECT_CMD_SET_CONFIG:
             //ALOGV("\tReverb_command cmdCode Case: "
             //        "EFFECT_CMD_SET_CONFIG start");
-            if (pCmdData == NULL ||
-                cmdSize != sizeof(effect_config_t) ||
-                pReplyData == NULL ||
-                *replySize != sizeof(int)) {
+            if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) ||
+                    pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) {
                 ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: "
                         "EFFECT_CMD_SET_CONFIG: ERROR");
                 return -EINVAL;
@@ -1960,8 +1958,7 @@ int Reverb_command(effect_handle_t  self,
             break;
 
         case EFFECT_CMD_GET_CONFIG:
-            if (pReplyData == NULL ||
-                *replySize != sizeof(effect_config_t)) {
+            if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) {
                 ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: "
                         "EFFECT_CMD_GET_CONFIG: ERROR");
                 return -EINVAL;
@@ -1979,15 +1976,16 @@ int Reverb_command(effect_handle_t  self,
         case EFFECT_CMD_GET_PARAM:{
             //ALOGV("\tReverb_command cmdCode Case: "
             //        "EFFECT_CMD_GET_PARAM start");
-            if (pCmdData == NULL ||
-                    cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) ||
-                    pReplyData == NULL ||
-                    *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){
+            effect_param_t *p = (effect_param_t *)pCmdData;
+
+            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
+                    cmdSize < (sizeof(effect_param_t) + p->psize) ||
+                    pReplyData == NULL || replySize == NULL ||
+                    *replySize < (sizeof(effect_param_t) + p->psize)) {
                 ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: "
                         "EFFECT_CMD_GET_PARAM: ERROR");
                 return -EINVAL;
             }
-            effect_param_t *p = (effect_param_t *)pCmdData;
 
             memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize);
 
@@ -2018,8 +2016,8 @@ int Reverb_command(effect_handle_t  self,
             //        *replySize,
             //        *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t)));
 
-            if (pCmdData == NULL || (cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)))
-                    || pReplyData == NULL || *replySize != (int)sizeof(int32_t)) {
+            if (pCmdData == NULL || (cmdSize < (sizeof(effect_param_t) + sizeof(int32_t))) ||
+                    pReplyData == NULL ||  replySize == NULL || *replySize != sizeof(int32_t)) {
                 ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: "
                         "EFFECT_CMD_SET_PARAM: ERROR");
                 return -EINVAL;
author	Eric Laurent <elaurent@google.com>	2015-06-19 15:33:57 -0700
committer	Paul Kocialkowski <contact@paulk.fr>	2015-08-31 00:00:21 +0200
commit	353b4e92b3494589f13d5632b3e5c333bdacd730 (patch)
tree	05f71881878a7c9ea59ca86c41d7448f10880ff8 /media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
parent	229bb7f982908feea6bf0d13eede5918f6377eb7 (diff)
download	frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.zip frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.gz frameworks_av-353b4e92b3494589f13d5632b3e5c333bdacd730.tar.bz2