diff options
| author | Andy Hung <hunga@google.com> | 2016-08-17 14:11:13 -0700 |
|---|---|---|
| committer | Adam Seaton <aseaton@google.com> | 2016-08-26 15:48:52 -0700 |
| commit | 4f7b529d2405e4929e424d4bb12e4fa5bce2fa04 (patch) | |
| tree | 95324e9c6bccc025a7af0c426a3d6b5352a79fb4 /services/audioflinger | |
| parent | eb11f3a9e6638805c4473c3bf448584893bae519 (diff) | |
| download | frameworks_av-4f7b529d2405e4929e424d4bb12e4fa5bce2fa04.zip frameworks_av-4f7b529d2405e4929e424d4bb12e4fa5bce2fa04.tar.gz frameworks_av-4f7b529d2405e4929e424d4bb12e4fa5bce2fa04.tar.bz2 | |
Add EFFECT_CMD_SET_PARAM parameter checking
Fix merge conflict to mnc-mr3-release
Bug: 30204301
Change-Id: Ib9c3ee1c2f23c96f8f7092dd9e146bc453d7a290
Diffstat (limited to 'services/audioflinger')
| -rw-r--r-- | services/audioflinger/Effects.cpp | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp index 949c91d..f87b8f5 100644 --- a/services/audioflinger/Effects.cpp +++ b/services/audioflinger/Effects.cpp @@ -543,6 +543,13 @@ status_t AudioFlinger::EffectModule::remove_effect_from_hal_l() return NO_ERROR; } +// round up delta valid if value and divisor are positive. +template <typename T> +static T roundUpDelta(const T &value, const T &divisor) { + T remainder = value % divisor; + return remainder == 0 ? 0 : divisor - remainder; +} + status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, uint32_t cmdSize, void *pCmdData, @@ -558,6 +565,28 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, if (mStatus != NO_ERROR) { return mStatus; } + if (cmdCode == EFFECT_CMD_GET_PARAM && + (*replySize < sizeof(effect_param_t) || + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) { + android_errorWriteLog(0x534e4554, "29251553"); + return -EINVAL; + } + if ((cmdCode == EFFECT_CMD_SET_PARAM + || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used + (sizeof(effect_param_t) > cmdSize + || ((effect_param_t *)pCmdData)->psize > cmdSize + - sizeof(effect_param_t) + || ((effect_param_t *)pCmdData)->vsize > cmdSize + - sizeof(effect_param_t) + - ((effect_param_t *)pCmdData)->psize + || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) > + cmdSize + - sizeof(effect_param_t) + - ((effect_param_t *)pCmdData)->psize + - ((effect_param_t *)pCmdData)->vsize)) { + android_errorWriteLog(0x534e4554, "30204301"); + return -EINVAL; + } status_t status = (*mEffectInterface)->command(mEffectInterface, cmdCode, cmdSize, |