Check effect command reply size in AudioFlinger

Bug: 29251553 Change-Id: I1bcc1281f1f0542bb645f6358ce31631f2a8ffbf
author: Andy Hung <hunga@google.com> 2016-06-20 15:22:52 -0700
committer: The Android Automerger <android-build@google.com> 2016-06-23 15:05:18 -0700
commit: 9cd8c3289c91254b3955bd7347cf605d6fa032c6 (patch)
tree: 620c1736f58909dd7b30de2d21f4b3980bce0143 /services/audioflinger
parent: a4567c66f4764442c6cb7b5c1858810194480fb5 (diff)
download: frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.zip
frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.tar.gz
frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 949c91d..eb52dee 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -558,6 +558,12 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
     if (mStatus != NO_ERROR) {
         return mStatus;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (*replySize < sizeof(effect_param_t) ||
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "29251553");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
author	Andy Hung <hunga@google.com>	2016-06-20 15:22:52 -0700
committer	The Android Automerger <android-build@google.com>	2016-06-23 15:05:18 -0700
commit	9cd8c3289c91254b3955bd7347cf605d6fa032c6 (patch)
tree	620c1736f58909dd7b30de2d21f4b3980bce0143 /services/audioflinger
parent	a4567c66f4764442c6cb7b5c1858810194480fb5 (diff)
download	frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.zip frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.tar.gz frameworks_av-9cd8c3289c91254b3955bd7347cf605d6fa032c6.tar.bz2