diff options
| author | Eric Laurent <elaurent@google.com> | 2015-06-19 15:33:57 -0700 |
|---|---|---|
| committer | Eric Laurent <elaurent@google.com> | 2015-06-19 18:00:25 -0700 |
| commit | 0f714a464d2425afe00d6450535e763131b40844 (patch) | |
| tree | e949a4874b50e193734fb3541e9011d3a7e54cb6 /media/libeffects/visualizer/EffectVisualizer.cpp | |
| parent | 3ecc9db40b1fb9c7f807a5892e5c9625aac1fb06 (diff) | |
| download | frameworks_av-0f714a464d2425afe00d6450535e763131b40844.zip frameworks_av-0f714a464d2425afe00d6450535e763131b40844.tar.gz frameworks_av-0f714a464d2425afe00d6450535e763131b40844.tar.bz2 | |
audio effects: fix heap overflow
Check consistency of effect command reply sizes before
copying to reply address.
Also add null pointer check on reply size.
Also remove unused parameter warning.
Bug: 21953516.
Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4
Diffstat (limited to 'media/libeffects/visualizer/EffectVisualizer.cpp')
| -rw-r--r-- | media/libeffects/visualizer/EffectVisualizer.cpp | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp index e5089da..0c310c5 100644 --- a/media/libeffects/visualizer/EffectVisualizer.cpp +++ b/media/libeffects/visualizer/EffectVisualizer.cpp @@ -424,21 +424,21 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, switch (cmdCode) { case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_init(pContext); break; case EFFECT_CMD_SET_CONFIG: if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) - || pReplyData == NULL || *replySize != sizeof(int)) { + || pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_setConfig(pContext, (effect_config_t *) pCmdData); break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { return -EINVAL; } @@ -448,7 +448,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, Visualizer_reset(pContext); break; case EFFECT_CMD_ENABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_INITIALIZED) { @@ -459,7 +459,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, *(int *)pReplyData = 0; break; case EFFECT_CMD_DISABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_ACTIVE) { @@ -472,7 +472,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_GET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || - pReplyData == NULL || + pReplyData == NULL || replySize == NULL || *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t))) { return -EINVAL; } @@ -510,7 +510,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_SET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t)) || - pReplyData == NULL || *replySize != sizeof(int32_t)) { + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { return -EINVAL; } *(int32_t *)pReplyData = 0; @@ -548,7 +548,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case VISUALIZER_CMD_CAPTURE: { uint32_t captureSize = pContext->mCaptureSize; - if (pReplyData == NULL || *replySize != captureSize) { + if (pReplyData == NULL || replySize == NULL || *replySize != captureSize) { ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %" PRIu32 " captureSize %" PRIu32, *replySize, captureSize); return -EINVAL; |