Fix security vulnerability: potential OOB write in audioserver

Bug: 32705438 Bug: 32703959 Test: cts security test Change-Id: I8900c92fa55b56c4c2c9d721efdbabe6bfc8a4a4 (cherry picked from commit e275907e576601a3579747c3a842790bacf111e2) (cherry picked from commit b0bcddb44d992e74140a3f5eedc7177977ea8e34)
author: rago <rago@google.com> 2016-11-22 18:02:48 -0800
committer: Brinly Taylor <brinly@brinly.me> 2017-03-13 04:55:12 +0000
commit: 0574c56e88e96d33c923a8f54364ac0bf3dc5a91 (patch)
tree: dd18959891e4b467a6d860d3b4e3238e3be6ea69 /media/libeffects/lvm
parent: 7900d8611ea22ce04c1697a8f391b83ed48c904d (diff)
download: frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.zip
frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.gz
frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.bz2
1 files changed, 21 insertions, 6 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 5e975b0..2588140 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -3124,10 +3124,6 @@ int Effect_command(effect_handle_t  self,
             //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");
 
             effect_param_t *p = (effect_param_t *)pCmdData;
-            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
-                android_errorWriteLog(0x534e4554, "26347509");
-                return -EINVAL;
-            }
             if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
                     cmdSize < (sizeof(effect_param_t) + p->psize) ||
                     pReplyData == NULL || replySize == NULL ||
@@ -3135,13 +3131,32 @@ int Effect_command(effect_handle_t  self,
                 ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR");
                 return -EINVAL;
             }
+            if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+                android_errorWriteLog(0x534e4554, "26347509");
+                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big");
+                return -EINVAL;
+            }
+            uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) *
+                    sizeof(int32_t);
+            if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) ||
+                (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize <
+                    p->vsize)) {
+                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big");
+                return -EINVAL;
+            }
+            uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize;
+            if (*replySize < expectedReplySize) {
+                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes",
+                        expectedReplySize, *replySize);
+                android_errorWriteLog(0x534e4554, "32705438");
+                return -EINVAL;
+            }
 
             memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize);
 
             p = (effect_param_t *)pReplyData;
 
-            int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
-
+            uint32_t voffset = paddedParamSize;
             if(pContext->EffectType == LVM_BASS_BOOST){
                 p->status = android::BassBoost_getParameter(pContext,
                                                             p->data,
author	rago <rago@google.com>	2016-11-22 18:02:48 -0800
committer	Brinly Taylor <brinly@brinly.me>	2017-03-13 04:55:12 +0000
commit	0574c56e88e96d33c923a8f54364ac0bf3dc5a91 (patch)
tree	dd18959891e4b467a6d860d3b4e3238e3be6ea69 /media/libeffects/lvm
parent	7900d8611ea22ce04c1697a8f391b83ed48c904d (diff)
download	frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.zip frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.gz frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.bz2