diff options
| author | rago <rago@google.com> | 2016-11-14 14:58:34 -0800 |
|---|---|---|
| committer | mh0rst <mhorst@tzi.de> | 2017-01-13 10:24:27 +0100 |
| commit | 621ca73010f3954566b27c6554ce992cc6069670 (patch) | |
| tree | e03117c4d84b9a63ebfd98592c72a308970dcee6 /media/libeffects/lvm | |
| parent | 82016b05946bd41ecbaf6872c00b0195ea80c094 (diff) | |
| download | frameworks_av-621ca73010f3954566b27c6554ce992cc6069670.zip frameworks_av-621ca73010f3954566b27c6554ce992cc6069670.tar.gz frameworks_av-621ca73010f3954566b27c6554ce992cc6069670.tar.bz2 | |
Fix security vulnerability: Effect command might allow negative indexes
Bug: 32448258
Bug: 32095626
Test: Use POC bug or cts security test
Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df
(cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459)
(cherry picked from commit 321ea5257e37c8edb26e66fe4ee78cca4cd915fe)
Fix security vulnerability: Equalizer command might allow negative indexes
Bug: 32247948
Bug: 32438598
Bug: 32436341
Test: use POC on bug or cts security test
Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3
(cherry picked from commit 0872b65cff9129633471945431b9a5a28418049c)
(cherry picked from commit e981cca9fff3608af22bdf8fc1acef5470e25663)
(cherry picked from commit c66c43ad571ed2590dcd55a762c73c90d9744bac)
Diffstat (limited to 'media/libeffects/lvm')
| -rw-r--r-- | media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index f0afd39..5e975b0 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -2357,8 +2357,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_BAND_LEVEL: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32438598"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_LEVEL band %d", param2); + } break; } *(int16_t *)pValue = (int16_t)EqualizerGetBandLevel(pContext, param2); @@ -2368,8 +2372,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_CENTER_FREQ: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32436341"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_CENTER_FREQ band %d", param2); + } break; } *(int32_t *)pValue = EqualizerGetCentreFrequency(pContext, param2); @@ -2379,8 +2387,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_BAND_FREQ_RANGE: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32247948"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_FREQ_RANGE band %d", param2); + } break; } EqualizerGetBandFreqRange(pContext, param2, (uint32_t *)pValue, ((uint32_t *)pValue + 1)); @@ -2407,9 +2419,13 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_GET_PRESET_NAME: param2 = *pParamTemp; - if (param2 >= EqualizerGetNumPresets()) { - //if (param2 >= 20) { // AGO FIX + if ((param2 < 0 && param2 != PRESET_CUSTOM) || param2 >= EqualizerGetNumPresets()) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32448258"); + ALOGE("\tERROR Equalizer_getParameter() EQ_PARAM_GET_PRESET_NAME preset %d", + param2); + } break; } name = (char *)pValue; @@ -2479,8 +2495,12 @@ int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue) band = *pParamTemp; level = (int32_t)(*(int16_t *)pValue); //ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level); - if (band >= FIVEBAND_NUMBANDS) { + if (band < 0 || band >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (band < 0) { + android_errorWriteLog(0x534e4554, "32095626"); + ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_BAND_LEVEL band %d", band); + } break; } EqualizerSetBandLevel(pContext, band, level); |