From 9cd8c3289c91254b3955bd7347cf605d6fa032c6 Mon Sep 17 00:00:00 2001
From: Andy Hung <hunga@google.com>
Date: Mon, 20 Jun 2016 15:22:52 -0700
Subject: Check effect command reply size in AudioFlinger

Bug: 29251553
Change-Id: I1bcc1281f1f0542bb645f6358ce31631f2a8ffbf
---
 services/audioflinger/Effects.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'services')

diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 949c91d..eb52dee 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -558,6 +558,12 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
     if (mStatus != NO_ERROR) {
         return mStatus;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (*replySize < sizeof(effect_param_t) ||
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "29251553");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
-- 
cgit v1.1


From 1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Mon, 20 Jun 2016 17:00:14 -0700
Subject: DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid
 infoleak

Subtract address of a random static object from pointers being routed
through app process.

Bug: 28466701
Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04
---
 .../camera/libcameraservice/api1/client2/StreamingProcessor.cpp   | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'services')

diff --git a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
index 66d7b00..9e6c0db 100644
--- a/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
+++ b/services/camera/libcameraservice/api1/client2/StreamingProcessor.cpp
@@ -30,6 +30,7 @@
 #include <utils/Trace.h>
 #include <gui/BufferItem.h>
 #include <gui/Surface.h>
+#include <camera/ICameraRecordingProxy.h>
 #include <media/hardware/HardwareAPI.h>
 
 #include "common/CameraDeviceBase.h"
@@ -826,6 +827,9 @@ status_t StreamingProcessor::processRecordingFrame() {
             (uint8_t*)heap->getBase() + offset);
         payload->eType = kMetadataBufferTypeANWBuffer;
         payload->pBuffer = imgBuffer.mGraphicBuffer->getNativeBuffer();
+        // b/28466701
+        payload->pBuffer = (ANativeWindowBuffer*)((uint8_t*)payload->pBuffer -
+                ICameraRecordingProxy::getCommonBaseAddress());
         payload->nFenceFd = -1;
 
         ALOGVV("%s: Camera %d: Sending out ANWBuffer %p",
@@ -874,6 +878,10 @@ void StreamingProcessor::releaseRecordingFrame(const sp<IMemory>& mem) {
         return;
     }
 
+    // b/28466701
+    payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) +
+            ICameraRecordingProxy::getCommonBaseAddress());
+
     // Release the buffer back to the recording queue
     size_t itemIndex;
     for (itemIndex = 0; itemIndex < mRecordingBuffers.size(); itemIndex++) {
-- 
cgit v1.1