diff options
author | rago <rago@google.com> | 2016-11-22 18:02:48 -0800 |
---|---|---|
committer | Brinly Taylor <brinly@brinly.me> | 2017-03-13 04:55:12 +0000 |
commit | 0574c56e88e96d33c923a8f54364ac0bf3dc5a91 (patch) | |
tree | dd18959891e4b467a6d860d3b4e3238e3be6ea69 /media/libmedia/IEffect.cpp | |
parent | 7900d8611ea22ce04c1697a8f391b83ed48c904d (diff) | |
download | frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.zip frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.gz frameworks_av-0574c56e88e96d33c923a8f54364ac0bf3dc5a91.tar.bz2 |
Fix security vulnerability: potential OOB write in audioserver
Bug: 32705438
Bug: 32703959
Test: cts security test
Change-Id: I8900c92fa55b56c4c2c9d721efdbabe6bfc8a4a4
(cherry picked from commit e275907e576601a3579747c3a842790bacf111e2)
(cherry picked from commit b0bcddb44d992e74140a3f5eedc7177977ea8e34)
Diffstat (limited to 'media/libmedia/IEffect.cpp')
-rw-r--r-- | media/libmedia/IEffect.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp index faf5795..af6d8de 100644 --- a/media/libmedia/IEffect.cpp +++ b/media/libmedia/IEffect.cpp @@ -25,6 +25,9 @@ namespace android { +// Maximum command/reply size expected +#define EFFECT_PARAM_SIZE_MAX 65536 + enum { ENABLE = IBinder::FIRST_CALL_TRANSACTION, DISABLE, @@ -156,6 +159,10 @@ status_t BnEffect::onTransact( uint32_t cmdSize = data.readInt32(); char *cmd = NULL; if (cmdSize) { + if (cmdSize > EFFECT_PARAM_SIZE_MAX) { + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } cmd = (char *)calloc(cmdSize, 1); if (cmd == NULL) { reply->writeInt32(NO_MEMORY); @@ -167,6 +174,11 @@ status_t BnEffect::onTransact( uint32_t replySz = replySize; char *resp = NULL; if (replySize) { + if (replySize > EFFECT_PARAM_SIZE_MAX) { + free(cmd); + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } resp = (char *)calloc(replySize, 1); if (resp == NULL) { free(cmd); |