From 82016b05946bd41ecbaf6872c00b0195ea80c094 Mon Sep 17 00:00:00 2001 From: Sam Mortimer Date: Fri, 9 Dec 2016 13:36:25 -0800 Subject: soundtrigger: fix memory corruption Fixes hotword on angler. Change-Id: Ic15a617c0f79f03785feaddd2dfa6deb90842a06 (cherry picked from commit 5f72b2213b9dc96ce91871398b539ad6aa653142) --- services/soundtrigger/SoundTriggerHwService.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'services') diff --git a/services/soundtrigger/SoundTriggerHwService.cpp b/services/soundtrigger/SoundTriggerHwService.cpp index a1cc6ff..a45d5f6 100644 --- a/services/soundtrigger/SoundTriggerHwService.cpp +++ b/services/soundtrigger/SoundTriggerHwService.cpp @@ -270,12 +270,12 @@ void SoundTriggerHwService::sendRecognitionEvent(struct sound_trigger_recognitio if (module == NULL) { return; } + struct sound_trigger_phrase_recognition_event newEvent; if (event-> type == SOUND_MODEL_TYPE_KEYPHRASE && event->data_size != 0 && event->data_offset != sizeof(struct sound_trigger_phrase_recognition_event)) { // set some defaults for the phrase if the recognition event won't be parsed properly // TODO: read defaults from the config - struct sound_trigger_phrase_recognition_event newEvent; memset(&newEvent, 0, sizeof(struct sound_trigger_phrase_recognition_event)); sp model = module->getModel(event->model); -- cgit v1.1 From 178e1e1e6a4fd7c3cc284858c6f56ddf7e2697c3 Mon Sep 17 00:00:00 2001 From: Andy Hung Date: Fri, 4 Nov 2016 19:40:53 -0700 Subject: Effects: Check get parameter command size Test: Custom test. Bug: 32438594 Bug: 32624850 Bug: 32635664 Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6 (cherry picked from commit 3d34cc76e315dfa8c3b1edf78835b0dab4980505) (cherry picked from commit 26965db50a617f69bdefca0d7533796c80374f2c) --- services/audioflinger/Effects.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'services') diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp index 5505d2e..d46c10e 100644 --- a/services/audioflinger/Effects.cpp +++ b/services/audioflinger/Effects.cpp @@ -571,6 +571,13 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, android_errorWriteLog(0x534e4554, "29251553"); return -EINVAL; } + if (cmdCode == EFFECT_CMD_GET_PARAM && + (sizeof(effect_param_t) > cmdSize || + ((effect_param_t *)pCmdData)->psize > cmdSize + - sizeof(effect_param_t))) { + android_errorWriteLog(0x534e4554, "32438594"); + return -EINVAL; + } if ((cmdCode == EFFECT_CMD_SET_PARAM || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used (sizeof(effect_param_t) > cmdSize -- cgit v1.1