From 621ca73010f3954566b27c6554ce992cc6069670 Mon Sep 17 00:00:00 2001 From: rago Date: Mon, 14 Nov 2016 14:58:34 -0800 Subject: Fix security vulnerability: Effect command might allow negative indexes Bug: 32448258 Bug: 32095626 Test: Use POC bug or cts security test Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df (cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459) (cherry picked from commit 321ea5257e37c8edb26e66fe4ee78cca4cd915fe) Fix security vulnerability: Equalizer command might allow negative indexes Bug: 32247948 Bug: 32438598 Bug: 32436341 Test: use POC on bug or cts security test Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3 (cherry picked from commit 0872b65cff9129633471945431b9a5a28418049c) (cherry picked from commit e981cca9fff3608af22bdf8fc1acef5470e25663) (cherry picked from commit c66c43ad571ed2590dcd55a762c73c90d9744bac) --- .../libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 32 ++++++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index f0afd39..5e975b0 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -2357,8 +2357,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_BAND_LEVEL: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32438598"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_LEVEL band %d", param2); + } break; } *(int16_t *)pValue = (int16_t)EqualizerGetBandLevel(pContext, param2); @@ -2368,8 +2372,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_CENTER_FREQ: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32436341"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_CENTER_FREQ band %d", param2); + } break; } *(int32_t *)pValue = EqualizerGetCentreFrequency(pContext, param2); @@ -2379,8 +2387,12 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_BAND_FREQ_RANGE: param2 = *pParamTemp; - if (param2 >= FIVEBAND_NUMBANDS) { + if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32247948"); + ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_FREQ_RANGE band %d", param2); + } break; } EqualizerGetBandFreqRange(pContext, param2, (uint32_t *)pValue, ((uint32_t *)pValue + 1)); @@ -2407,9 +2419,13 @@ int Equalizer_getParameter(EffectContext *pContext, case EQ_PARAM_GET_PRESET_NAME: param2 = *pParamTemp; - if (param2 >= EqualizerGetNumPresets()) { - //if (param2 >= 20) { // AGO FIX + if ((param2 < 0 && param2 != PRESET_CUSTOM) || param2 >= EqualizerGetNumPresets()) { status = -EINVAL; + if (param2 < 0) { + android_errorWriteLog(0x534e4554, "32448258"); + ALOGE("\tERROR Equalizer_getParameter() EQ_PARAM_GET_PRESET_NAME preset %d", + param2); + } break; } name = (char *)pValue; @@ -2479,8 +2495,12 @@ int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue) band = *pParamTemp; level = (int32_t)(*(int16_t *)pValue); //ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level); - if (band >= FIVEBAND_NUMBANDS) { + if (band < 0 || band >= FIVEBAND_NUMBANDS) { status = -EINVAL; + if (band < 0) { + android_errorWriteLog(0x534e4554, "32095626"); + ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_BAND_LEVEL band %d", band); + } break; } EqualizerSetBandLevel(pContext, band, level); -- cgit v1.1