audio-hal: AudioEffect reply overflow
Adding checks to avoid audio effect reply overflow.
Change-Id: Ib23427940fb1127439a97992b0c50e48edd4ec0a
diff --git a/post_proc/bundle.c b/post_proc/bundle.c
index 0dbf27b..a9f95b9 100644
--- a/post_proc/bundle.c
+++ b/post_proc/bundle.c
@@ -2,6 +2,8 @@
* Copyright (c) 2013-2017, 2019, The Linux Foundation. All rights reserved.
* Not a Contribution.
*
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ *
* Copyright (C) 2013 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -847,7 +849,8 @@
pReplyData == NULL ||
*replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) ||
// constrain memcpy below
- ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
+ ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) ||
+ ((effect_param_t *)pCmdData)->psize > cmdSize - sizeof(effect_param_t)) {
status = -EINVAL;
ALOGW("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d",
cmdSize, *replySize);
diff --git a/post_proc/volume_listener.c b/post_proc/volume_listener.c
index 65575bc..cb8b02b 100644
--- a/post_proc/volume_listener.c
+++ b/post_proc/volume_listener.c
@@ -1,5 +1,7 @@
/*
* Copyright (c) 2015-2017, 2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ *
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -559,7 +561,7 @@
bool recompute_gain_dep_cal_Level = false;
ALOGV("cmd called EFFECT_CMD_SET_DEVICE ");
- if (p_cmd_data == NULL) {
+ if (p_cmd_data == NULL || cmd_size < sizeof(uint32_t)) {
ALOGE("%s: EFFECT_CMD_SET_DEVICE: cmd data NULL", __func__);
status = -EINVAL;
goto exit;
diff --git a/visualizer/offload_visualizer.c b/visualizer/offload_visualizer.c
index 65b5938..e2b6f59 100644
--- a/visualizer/offload_visualizer.c
+++ b/visualizer/offload_visualizer.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2013 The Android Open Source Project
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -1321,7 +1322,10 @@
if (pCmdData == NULL ||
cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t)) ||
pReplyData == NULL ||
- *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t))) {
+ *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t)) ||
+ // constrain memcpy below
+ ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) ||
+ ((effect_param_t *)pCmdData)->psize > cmdSize - sizeof(effect_param_t)) {
status = -EINVAL;
goto exit;
}
diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c
index 50cb7af..2847c90 100644
--- a/voice_processing/voice_processing.c
+++ b/voice_processing/voice_processing.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2013 The Android Open Source Project
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -582,7 +583,8 @@
pReplyData == NULL ||
*replySize < (int)sizeof(effect_param_t) ||
// constrain memcpy below
- ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) {
+ ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t) ||
+ ((effect_param_t *)pCmdData)->psize > cmdSize - sizeof(effect_param_t)) {
ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args");
return -EINVAL;
}