From 440b3720fdd1d3e3986bf95b907447142900a974 Mon Sep 17 00:00:00 2001
From: rago <rago@google.com>
Date: Tue, 6 Jun 2017 15:02:43 -0700
Subject: Fix security vulnerability: Equalizer setParameter memory overflow

Bug: 37563371

Test: use POC on bug or cts security test
Change-Id: Ia04f172fb21b11463ffa9ea023d69a3db01e0731
(cherry picked from commit 617cd5c7f46c2312c7253001c46e7eea4c0315e0)
---
 post_proc/equalizer.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index 1cd40d2..8c9449a 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -364,6 +364,7 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p,
     equalizer_context_t *eq_ctxt = (equalizer_context_t *)context;
     int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
     void *value = p->data + voffset;
+    int32_t vsize = (int32_t) p->vsize;
     int32_t *param_tmp = (int32_t *)p->data;
     int32_t param = *param_tmp++;
     int32_t preset;
@@ -378,6 +379,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p,
     switch (param) {
     case EQ_PARAM_CUR_PRESET:
 	ALOGV("EQ_PARAM_CUR_PRESET");
+        if (vsize < sizeof(int16_t)) {
+           p->status = -EINVAL;
+           break;
+        }
         preset = (int32_t)(*(uint16_t *)value);
 
         if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) {
@@ -388,6 +393,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p,
         break;
     case EQ_PARAM_BAND_LEVEL:
 	ALOGV("EQ_PARAM_BAND_LEVEL");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         band =  *param_tmp;
         level = (int32_t)(*(int16_t *)value);
         if (band < 0 || band >= NUM_EQ_BANDS) {
@@ -402,6 +411,10 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p,
         break;
     case EQ_PARAM_PROPERTIES: {
 	ALOGV("EQ_PARAM_PROPERTIES");
+        if (vsize < sizeof(int16_t)) {
+            p->status = -EINVAL;
+            break;
+        }
         int16_t *prop = (int16_t *)value;
         if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) {
             p->status = -EINVAL;
@@ -410,6 +423,13 @@ int equalizer_set_parameter(effect_context_t *context, effect_param_t *p,
         if (prop[0] >= 0) {
             equalizer_set_preset(eq_ctxt, (int)prop[0]);
         } else {
+            if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) {
+                android_errorWriteLog(0x534e4554, "37563371");
+                ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d",
+                                  vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t));
+                p->status = -EINVAL;
+                break;
+            }
             if ((int)prop[1] != NUM_EQ_BANDS) {
                 p->status = -EINVAL;
                 break;
-- 
cgit v1.2.3