From 178e1e1e6a4fd7c3cc284858c6f56ddf7e2697c3 Mon Sep 17 00:00:00 2001
From: Andy Hung <hunga@google.com>
Date: Fri, 4 Nov 2016 19:40:53 -0700
Subject: Effects: Check get parameter command size

Test: Custom test.
Bug: 32438594
Bug: 32624850
Bug: 32635664
Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6
(cherry picked from commit 3d34cc76e315dfa8c3b1edf78835b0dab4980505)
(cherry picked from commit 26965db50a617f69bdefca0d7533796c80374f2c)
---
 services/audioflinger/Effects.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 5505d2e..d46c10e 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -571,6 +571,13 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
         android_errorWriteLog(0x534e4554, "29251553");
         return -EINVAL;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (sizeof(effect_param_t) > cmdSize ||
+                    ((effect_param_t *)pCmdData)->psize > cmdSize
+                                                          - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "32438594");
+        return -EINVAL;
+    }
     if ((cmdCode == EFFECT_CMD_SET_PARAM
             || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) &&  // DEFERRED not generally used
         (sizeof(effect_param_t) > cmdSize
-- 
cgit v1.1