fix possible overflow in effect wrappers.

Add checks on parameter size field in effect command handlers to avoid overflow leading to invalid comparison with min allowed size for command and reply buffers. Bug: 26347509. Change-Id: I20e6a9b6de8e5172b957caa1ac9410b9752efa4d (cherry picked from commit ad1bd92a49d78df6bc6e75bee68c517c1326f3cf)
author: Eric Laurent <elaurent@google.com> 2016-01-08 10:52:38 -0800
committer: The Android Automerger <android-build@google.com> 2016-01-22 13:36:15 -0800
commit: 349169847c86cd1154a3b401d4cab6f0a410b192 (patch)
tree: 6da0a096a3a9658bb58465637b5331fb6d5e1bf5 /media/libeffects
parent: 1e508ddce4250e04d06335fa1ceed1e1f0791da5 (diff)
download: frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.zip
frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.tar.gz
frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.tar.bz2
2 files changed, 8 insertions, 2 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index af904a6..14a1a74 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -3091,7 +3091,10 @@ int Effect_command(effect_handle_t  self,
             //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");
 
             effect_param_t *p = (effect_param_t *)pCmdData;
-
+            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+                android_errorWriteLog(0x534e4554, "26347509");
+                return -EINVAL;
+            }
             if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
                     cmdSize < (sizeof(effect_param_t) + p->psize) ||
                     pReplyData == NULL || replySize == NULL ||
diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
index a48a4e3..4dc8b45 100644
--- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
+++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
@@ -1956,7 +1956,10 @@ int Reverb_command(effect_handle_t  self,
             //ALOGV("\tReverb_command cmdCode Case: "
             //        "EFFECT_CMD_GET_PARAM start");
             effect_param_t *p = (effect_param_t *)pCmdData;
-
+            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+                android_errorWriteLog(0x534e4554, "26347509");
+                return -EINVAL;
+            }
             if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
                     cmdSize < (sizeof(effect_param_t) + p->psize) ||
                     pReplyData == NULL || replySize == NULL ||
author	Eric Laurent <elaurent@google.com>	2016-01-08 10:52:38 -0800
committer	The Android Automerger <android-build@google.com>	2016-01-22 13:36:15 -0800
commit	349169847c86cd1154a3b401d4cab6f0a410b192 (patch)
tree	6da0a096a3a9658bb58465637b5331fb6d5e1bf5 /media/libeffects
parent	1e508ddce4250e04d06335fa1ceed1e1f0791da5 (diff)
download	frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.zip frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.tar.gz frameworks_av-349169847c86cd1154a3b401d4cab6f0a410b192.tar.bz2