From 0f714a464d2425afe00d6450535e763131b40844 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Fri, 19 Jun 2015 15:33:57 -0700 Subject: audio effects: fix heap overflow Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 --- .../libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 134 ++++++--------------- 1 file changed, 40 insertions(+), 94 deletions(-) (limited to 'media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp') diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index d904ab6..af904a6 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -3034,7 +3034,7 @@ int Effect_command(effect_handle_t self, switch (cmdCode){ case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("\tLVM_ERROR, EFFECT_CMD_INIT: ERROR for effect type %d", pContext->EffectType); return -EINVAL; @@ -3061,10 +3061,8 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_SET_CONFIG: //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_SET_CONFIG start"); - if (pCmdData == NULL|| - cmdSize != sizeof(effect_config_t)|| - pReplyData == NULL|| - *replySize != sizeof(int)){ + if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_SET_CONFIG: ERROR"); return -EINVAL; @@ -3074,8 +3072,7 @@ int Effect_command(effect_handle_t self, break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || - *replySize != sizeof(effect_config_t)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_GET_CONFIG: ERROR"); return -EINVAL; @@ -3093,30 +3090,27 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_GET_PARAM:{ //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); - if(pContext->EffectType == LVM_BASS_BOOST){ - if (pCmdData == NULL || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : BassBoost_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; + effect_param_t *p = (effect_param_t *)pCmdData; + + if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || + cmdSize < (sizeof(effect_param_t) + p->psize) || + pReplyData == NULL || replySize == NULL || + *replySize < (sizeof(effect_param_t) + p->psize)) { + ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); + return -EINVAL; + } - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); + memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - p = (effect_param_t *)pReplyData; + p = (effect_param_t *)pReplyData; - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); + int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); + if(pContext->EffectType == LVM_BASS_BOOST){ p->status = android::BassBoost_getParameter(pContext, p->data, &p->vsize, p->data + voffset); - - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tBassBoost_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), @@ -3125,27 +3119,10 @@ int Effect_command(effect_handle_t self, } if(pContext->EffectType == LVM_VIRTUALIZER){ - if (pCmdData == NULL || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : Virtualizer_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); - p->status = android::Virtualizer_getParameter(pContext, (void *)p->data, &p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; //ALOGV("\tVirtualizer_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", @@ -3156,29 +3133,11 @@ int Effect_command(effect_handle_t self, if(pContext->EffectType == LVM_EQUALIZER){ //ALOGV("\tEqualizer_command cmdCode Case: " // "EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))) { - ALOGV("\tLVM_ERROR : Equalizer_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); - p->status = android::Equalizer_getParameter(pContext, p->data, &p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tEqualizer_command EFFECT_CMD_GET_PARAM *pCmdData %d, *replySize %d, " // "*pReplyData %08x %08x", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), *replySize, @@ -3188,35 +3147,19 @@ int Effect_command(effect_handle_t self, } if(pContext->EffectType == LVM_VOLUME){ //ALOGV("\tVolume_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : Volume_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); - p->status = android::Volume_getParameter(pContext, (void *)p->data, &p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tVolume_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), // *replySize, // *(int16_t *)((char *)pReplyData + sizeof(effect_param_t) + voffset)); } + *replySize = sizeof(effect_param_t) + voffset + p->vsize; + //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM end"); } break; case EFFECT_CMD_SET_PARAM:{ @@ -3227,10 +3170,9 @@ int Effect_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); - if (pCmdData == NULL|| - cmdSize != (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t))|| - pReplyData == NULL|| - *replySize != sizeof(int32_t)){ + if (pCmdData == NULL || + cmdSize != (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t)) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : BassBoost_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3262,11 +3204,10 @@ int Effect_command(effect_handle_t self, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); if (pCmdData == NULL || - // legal parameters are int16_t or int32_t - cmdSize > (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int32_t)) || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t)) || - pReplyData == NULL || - *replySize != sizeof(int32_t)){ + // legal parameters are int16_t or int32_t + cmdSize > (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int32_t)) || + cmdSize < (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t)) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Virtualizer_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3299,7 +3240,7 @@ int Effect_command(effect_handle_t self, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); if (pCmdData == NULL || cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || *replySize != sizeof(int32_t)) { + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Equalizer_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3317,10 +3258,10 @@ int Effect_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) +sizeof(int32_t))); - if ( pCmdData == NULL|| - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t))|| - pReplyData == NULL|| - *replySize != sizeof(int32_t)){ + if (pCmdData == NULL || + cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || + pReplyData == NULL || replySize == NULL || + *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Volume_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3336,7 +3277,7 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_ENABLE: ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_ENABLE start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_ENABLE: ERROR"); return -EINVAL; } @@ -3346,7 +3287,7 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_DISABLE: //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_DISABLE start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_DISABLE: ERROR"); return -EINVAL; } @@ -3356,6 +3297,11 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_SET_DEVICE: { ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_SET_DEVICE start"); + if (pCmdData == NULL){ + ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_SET_DEVICE: ERROR"); + return -EINVAL; + } + uint32_t device = *(uint32_t *)pCmdData; pContext->pBundledContext->nOutputDevice = (audio_devices_t) device; @@ -3444,8 +3390,8 @@ int Effect_command(effect_handle_t self, break; } - if (pCmdData == NULL || - cmdSize != 2 * sizeof(uint32_t)) { + if (pCmdData == NULL || cmdSize != 2 * sizeof(uint32_t) || pReplyData == NULL || + replySize == NULL || *replySize < 2*sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_SET_VOLUME: ERROR"); return -EINVAL; -- cgit v1.1