Skip to content

GitLab

Commit 321ea525 authored by rago's avatar rago Committed by gitbuildkicker
Browse files

Fix security vulnerability: Effect command might allow negative indexes 

Bug: 32448258
Bug: 32095626

Test: Use POC bug or cts security test
Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df
(cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459)
parent 453b351a
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 3 deletions
media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
View file @ 321ea525
......@@ -2419,9 +2419,13 @@ int Equalizer_getParameter(EffectContext *pContext,
case EQ_PARAM_GET_PRESET_NAME:
param2 = *pParamTemp;
if (param2 >= EqualizerGetNumPresets()) {
//if (param2 >= 20) { // AGO FIX
if ((param2 < 0 && param2 != PRESET_CUSTOM) || param2 >= EqualizerGetNumPresets()) {
status = -EINVAL;
if (param2 < 0) {
android_errorWriteLog(0x534e4554, "32448258");
ALOGE("\tERROR Equalizer_getParameter() EQ_PARAM_GET_PRESET_NAME preset %d",
param2);
}
break;
}
name = (char *)pValue;
......@@ -2491,8 +2495,12 @@ int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue)
band = *pParamTemp;
level = (int32_t)(*(int16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
if (band >= FIVEBAND_NUMBANDS) {
if (band < 0 || band >= FIVEBAND_NUMBANDS) {
status = -EINVAL;
if (band < 0) {
android_errorWriteLog(0x534e4554, "32095626");
ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_BAND_LEVEL band %d", band);
}
break;
}
EqualizerSetBandLevel(pContext, band, level);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment