Check effect command reply size in AudioFlinger am: 110bc9547a am: 075c8f7713 am: c971a59f4c am: 195f7c6125 am: 1e1b7e4c3d am: d34a9dfc5e am: 4d942ffdf7 am: 97dc689080 am: 96727e67fa am: 2072f925af am: 807b325704 Change-Id: If0a3ddbf84c520434f88ad5f6f02fd854cf8c4aa

commit: c0da99333228e88c311f6e4d52bb282b11d0d068 [log] [tgz]
author: Andy Hung <hunga@google.com> Tue Jun 21 18:09:02 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Tue Jun 21 18:09:02 2016 +0000
tree: 818206d8aa2b5db785b3dc2c5bf71eb94aadf2c6
parent: ef7c297ea4b61ec25f3277f83069c42997deac9a [diff]
parent: 807b325704b3361cb9846450e8d3bbea96a0fa1c [diff]
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp
index 00304b2..055e915 100644
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp

@@ -558,6 +558,12 @@
     if (mStatus != NO_ERROR) {
         return mStatus;
     }
+    if (cmdCode == EFFECT_CMD_GET_PARAM &&
+            (*replySize < sizeof(effect_param_t) ||
+                    ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) {
+        android_errorWriteLog(0x534e4554, "29251553");
+        return -EINVAL;
+    }
     status_t status = (*mEffectInterface)->command(mEffectInterface,
                                                    cmdCode,
                                                    cmdSize,
commit	c0da99333228e88c311f6e4d52bb282b11d0d068	[log] [tgz]
author	Andy Hung <hunga@google.com>	Tue Jun 21 18:09:02 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue Jun 21 18:09:02 2016 +0000
tree	818206d8aa2b5db785b3dc2c5bf71eb94aadf2c6
parent	ef7c297ea4b61ec25f3277f83069c42997deac9a [diff]
parent	807b325704b3361cb9846450e8d3bbea96a0fa1c [diff]