Check effect command reply size in AudioFlingerandroid-6.0.1_r63 marshmallow-dr-dragon-release

Bug: 29251553 Change-Id: I1bcc1281f1f0542bb645f6358ce31631f2a8ffbf (cherry picked from commit 110bc9547a0c851ff1f20f5d7579b34f942947b8)
author: Andy Hung <hunga@google.com> 2016-06-20 15:22:52 -0700
committer: gitbuildkicker <android-build@google.com> 2016-07-21 15:04:01 -0700
commit: 100883026a37d5b0db3ac60d7174cab11339bc69 (patch)
tree: 2e3443efe29247292b460f0c486be4c233d91cbf
parent: 5ad443ea49332957b88f529d561f3e229221d60c (diff)
download: av-marshmallow-dr-dragon-release.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 949c91d295..eb52dee60d 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -558,6 +558,12 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
     if (mStatus != NO_ERROR) {
         return mStatus;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (*replySize < sizeof(effect_param_t) ||
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "29251553");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
author	Andy Hung <hunga@google.com>	2016-06-20 15:22:52 -0700
committer	gitbuildkicker <android-build@google.com>	2016-07-21 15:04:01 -0700
commit	100883026a37d5b0db3ac60d7174cab11339bc69 (patch)
tree	2e3443efe29247292b460f0c486be4c233d91cbf
parent	5ad443ea49332957b88f529d561f3e229221d60c (diff)
download	av-marshmallow-dr-dragon-release.tar.gz