From 0f714a464d2425afe00d6450535e763131b40844 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Fri, 19 Jun 2015 15:33:57 -0700 Subject: audio effects: fix heap overflow Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 --- .../libeffects/lvm/wrapper/Reverb/EffectReverb.cpp | 30 ++++++++++------------ 1 file changed, 14 insertions(+), 16 deletions(-) (limited to 'media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp') diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp index 13f1a0d..a48a4e3 100644 --- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp +++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp @@ -190,8 +190,8 @@ int Reverb_LoadPreset (ReverbContext *pContext); /* Effect Library Interface Implementation */ extern "C" int EffectCreate(const effect_uuid_t *uuid, - int32_t sessionId, - int32_t ioId, + int32_t sessionId __unused, + int32_t ioId __unused, effect_handle_t *pHandle){ int ret; int i; @@ -1915,7 +1915,7 @@ int Reverb_command(effect_handle_t self, //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_INIT start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_INIT: ERROR"); return -EINVAL; @@ -1926,10 +1926,8 @@ int Reverb_command(effect_handle_t self, case EFFECT_CMD_SET_CONFIG: //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_SET_CONFIG start"); - if (pCmdData == NULL || - cmdSize != sizeof(effect_config_t) || - pReplyData == NULL || - *replySize != sizeof(int)) { + if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_SET_CONFIG: ERROR"); return -EINVAL; @@ -1939,8 +1937,7 @@ int Reverb_command(effect_handle_t self, break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || - *replySize != sizeof(effect_config_t)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_GET_CONFIG: ERROR"); return -EINVAL; @@ -1958,15 +1955,16 @@ int Reverb_command(effect_handle_t self, case EFFECT_CMD_GET_PARAM:{ //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (sizeof(effect_param_t) + sizeof(int32_t))){ + effect_param_t *p = (effect_param_t *)pCmdData; + + if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || + cmdSize < (sizeof(effect_param_t) + p->psize) || + pReplyData == NULL || replySize == NULL || + *replySize < (sizeof(effect_param_t) + p->psize)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; } - effect_param_t *p = (effect_param_t *)pCmdData; memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); @@ -1997,8 +1995,8 @@ int Reverb_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); - if (pCmdData == NULL || (cmdSize < (sizeof(effect_param_t) + sizeof(int32_t))) - || pReplyData == NULL || *replySize != sizeof(int32_t)) { + if (pCmdData == NULL || (cmdSize < (sizeof(effect_param_t) + sizeof(int32_t))) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; -- cgit v1.1