Fix security vulnerability: Equalizer setParameter memory overflow
Bug: 37563371
Test: use POC on bug or cts security test
Change-Id: Ia04f172fb21b11463ffa9ea023d69a3db01e0731
(cherry picked from commit 617cd5c7f46c2312c7253001c46e7eea4c0315e0)
(cherry picked from commit 9b4fd308a2c0858af5651a7884ec62f644ba65ed)
diff --git a/post_proc/equalizer.c b/post_proc/equalizer.c
index 45f8eb8..c1c1303 100644
--- a/post_proc/equalizer.c
+++ b/post_proc/equalizer.c
@@ -366,6 +366,7 @@
equalizer_context_t *eq_ctxt = (equalizer_context_t *)context;
int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
void *value = p->data + voffset;
+ int32_t vsize = (int32_t) p->vsize;
int32_t *param_tmp = (int32_t *)p->data;
int32_t param = *param_tmp++;
int32_t preset;
@@ -379,6 +380,10 @@
switch (param) {
case EQ_PARAM_CUR_PRESET:
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
preset = (int32_t)(*(uint16_t *)value);
if ((preset >= equalizer_get_num_presets(eq_ctxt)) || (preset < 0)) {
@@ -388,6 +393,10 @@
equalizer_set_preset(eq_ctxt, preset);
break;
case EQ_PARAM_BAND_LEVEL:
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
band = *param_tmp;
level = (int32_t)(*(int16_t *)value);
if (band < 0 || band >= NUM_EQ_BANDS) {
@@ -401,6 +410,10 @@
equalizer_set_band_level(eq_ctxt, band, level);
break;
case EQ_PARAM_PROPERTIES: {
+ if (vsize < sizeof(int16_t)) {
+ p->status = -EINVAL;
+ break;
+ }
int16_t *prop = (int16_t *)value;
if ((int)prop[0] >= equalizer_get_num_presets(eq_ctxt)) {
p->status = -EINVAL;
@@ -409,6 +422,13 @@
if (prop[0] >= 0) {
equalizer_set_preset(eq_ctxt, (int)prop[0]);
} else {
+ if (vsize < (2 + NUM_EQ_BANDS) * sizeof(int16_t)) {
+ android_errorWriteLog(0x534e4554, "37563371");
+ ALOGE("\tERROR EQ_PARAM_PROPERTIES valueSize %d < %d",
+ vsize, (2 + NUM_EQ_BANDS) * sizeof(int16_t));
+ p->status = -EINVAL;
+ break;
+ }
if ((int)prop[1] != NUM_EQ_BANDS) {
p->status = -EINVAL;
break;