From 0f714a464d2425afe00d6450535e763131b40844 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Fri, 19 Jun 2015 15:33:57 -0700 Subject: audio effects: fix heap overflow Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 --- media/libeffects/visualizer/EffectVisualizer.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'media/libeffects/visualizer/EffectVisualizer.cpp') diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp index e5089da..0c310c5 100644 --- a/media/libeffects/visualizer/EffectVisualizer.cpp +++ b/media/libeffects/visualizer/EffectVisualizer.cpp @@ -424,21 +424,21 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, switch (cmdCode) { case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_init(pContext); break; case EFFECT_CMD_SET_CONFIG: if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) - || pReplyData == NULL || *replySize != sizeof(int)) { + || pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_setConfig(pContext, (effect_config_t *) pCmdData); break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { return -EINVAL; } @@ -448,7 +448,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, Visualizer_reset(pContext); break; case EFFECT_CMD_ENABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_INITIALIZED) { @@ -459,7 +459,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, *(int *)pReplyData = 0; break; case EFFECT_CMD_DISABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_ACTIVE) { @@ -472,7 +472,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_GET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || - pReplyData == NULL || + pReplyData == NULL || replySize == NULL || *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t))) { return -EINVAL; } @@ -510,7 +510,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_SET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t)) || - pReplyData == NULL || *replySize != sizeof(int32_t)) { + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { return -EINVAL; } *(int32_t *)pReplyData = 0; @@ -548,7 +548,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case VISUALIZER_CMD_CAPTURE: { uint32_t captureSize = pContext->mCaptureSize; - if (pReplyData == NULL || *replySize != captureSize) { + if (pReplyData == NULL || replySize == NULL || *replySize != captureSize) { ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %" PRIu32 " captureSize %" PRIu32, *replySize, captureSize); return -EINVAL; -- cgit v1.1