From ddb37ce2cc2e668f06c0f4e0830bd37188fdff64 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Fri, 19 Jun 2015 15:33:57 -0700 Subject: [PATCH] audio effects: fix heap overflow Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 Signed-off-by: Eric Laurent Tested-by: Moritz Bandemer --- media/libeffects/downmix/EffectDownmix.c | 18 +-- .../libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 130 +++++++-------------- .../libeffects/lvm/wrapper/Reverb/EffectReverb.cpp | 30 +++-- media/libeffects/preprocessing/PreProcessing.cpp | 35 +++--- media/libeffects/visualizer/EffectVisualizer.cpp | 16 +-- 5 files changed, 90 insertions(+), 139 deletions(-) diff --git a/media/libeffects/downmix/EffectDownmix.c b/media/libeffects/downmix/EffectDownmix.c index 5bf052a..ce1181c 100644 --- a/media/libeffects/downmix/EffectDownmix.c +++ b/media/libeffects/downmix/EffectDownmix.c @@ -179,8 +179,8 @@ int32_t DownmixLib_QueryEffect(uint32_t index, effect_descriptor_t *pDescriptor) int32_t DownmixLib_Create(const effect_uuid_t *uuid, - int32_t sessionId, - int32_t ioId, + int32_t sessionId __unused, + int32_t ioId __unused, effect_handle_t *pHandle) { int ret; int i; @@ -403,7 +403,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS switch (cmdCode) { case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Downmix_Init(pDwmModule); @@ -411,7 +411,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS case EFFECT_CMD_SET_CONFIG: if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) - || pReplyData == NULL || *replySize != sizeof(int)) { + || pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Downmix_Configure(pDwmModule, @@ -426,7 +426,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS ALOGV("Downmix_Command EFFECT_CMD_GET_PARAM pCmdData %p, *replySize %d, pReplyData: %p", pCmdData, *replySize, pReplyData); if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || + pReplyData == NULL || replySize == NULL || *replySize < (int) sizeof(effect_param_t) + 2 * sizeof(int32_t)) { return -EINVAL; } @@ -443,7 +443,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS ALOGV("Downmix_Command EFFECT_CMD_SET_PARAM cmdSize %d pCmdData %p, *replySize %d, " \ "pReplyData %p", cmdSize, pCmdData, *replySize, pReplyData); if (pCmdData == NULL || (cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t))) - || pReplyData == NULL || *replySize != (int)sizeof(int32_t)) { + || pReplyData == NULL || replySize == NULL || *replySize != (int)sizeof(int32_t)) { return -EINVAL; } effect_param_t *cmd = (effect_param_t *) pCmdData; @@ -462,7 +462,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS break; case EFFECT_CMD_ENABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pDownmixer->state != DOWNMIX_STATE_INITIALIZED) { @@ -474,7 +474,7 @@ static int Downmix_Command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdS break; case EFFECT_CMD_DISABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pDownmixer->state != DOWNMIX_STATE_ACTIVE) { @@ -689,7 +689,7 @@ int Downmix_Configure(downmix_module_t *pDwmModule, effect_config_t *pConfig, bo *---------------------------------------------------------------------------- */ -int Downmix_Reset(downmix_object_t *pDownmixer, bool init) { +int Downmix_Reset(downmix_object_t *pDownmixer __unused, bool init __unused) { // nothing to do here return 0; } diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index d706c2d..35c7966 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -2787,7 +2787,7 @@ int Effect_command(effect_handle_t self, switch (cmdCode){ case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("\tLVM_ERROR, EFFECT_CMD_INIT: ERROR for effect type %d", pContext->EffectType); return -EINVAL; @@ -2814,10 +2814,8 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_SET_CONFIG: //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_SET_CONFIG start"); - if (pCmdData == NULL|| - cmdSize != sizeof(effect_config_t)|| - pReplyData == NULL|| - *replySize != sizeof(int)){ + if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_SET_CONFIG: ERROR"); return -EINVAL; @@ -2827,8 +2825,7 @@ int Effect_command(effect_handle_t self, break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || - *replySize != sizeof(effect_config_t)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_GET_CONFIG: ERROR"); return -EINVAL; @@ -2845,31 +2842,28 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_GET_PARAM:{ //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); + effect_param_t *p = (effect_param_t *)pCmdData; - if(pContext->EffectType == LVM_BASS_BOOST){ - if (pCmdData == NULL || - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : BassBoost_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; + if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || + cmdSize < (sizeof(effect_param_t) + p->psize) || + pReplyData == NULL || replySize == NULL || + *replySize < (sizeof(effect_param_t) + p->psize)) { + ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); + return -EINVAL; + } - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); + memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - p = (effect_param_t *)pReplyData; + p = (effect_param_t *)pReplyData; - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); + int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); + if(pContext->EffectType == LVM_BASS_BOOST){ p->status = android::BassBoost_getParameter(pContext, p->data, (size_t *)&p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tBassBoost_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), @@ -2878,29 +2872,12 @@ int Effect_command(effect_handle_t self, } if(pContext->EffectType == LVM_VIRTUALIZER){ - if (pCmdData == NULL || - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : Virtualizer_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); p->status = android::Virtualizer_getParameter(pContext, (void *)p->data, (size_t *)&p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tVirtualizer_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), @@ -2910,29 +2887,12 @@ int Effect_command(effect_handle_t self, if(pContext->EffectType == LVM_EQUALIZER){ //ALOGV("\tEqualizer_command cmdCode Case: " // "EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))) { - ALOGV("\tLVM_ERROR : Equalizer_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); p->status = android::Equalizer_getParameter(pContext, p->data, &p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tEqualizer_command EFFECT_CMD_GET_PARAM *pCmdData %d, *replySize %d, " // "*pReplyData %08x %08x", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), *replySize, @@ -2942,35 +2902,20 @@ int Effect_command(effect_handle_t self, } if(pContext->EffectType == LVM_VOLUME){ //ALOGV("\tVolume_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){ - ALOGV("\tLVM_ERROR : Volume_command cmdCode Case: " - "EFFECT_CMD_GET_PARAM: ERROR"); - return -EINVAL; - } - effect_param_t *p = (effect_param_t *)pCmdData; - - memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); - - p = (effect_param_t *)pReplyData; - - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); p->status = android::Volume_getParameter(pContext, (void *)p->data, (size_t *)&p->vsize, p->data + voffset); - *replySize = sizeof(effect_param_t) + voffset + p->vsize; - //ALOGV("\tVolume_command EFFECT_CMD_GET_PARAM " // "*pCmdData %d, *replySize %d, *pReplyData %d ", // *(int32_t *)((char *)pCmdData + sizeof(effect_param_t)), // *replySize, // *(int16_t *)((char *)pReplyData + sizeof(effect_param_t) + voffset)); } + *replySize = sizeof(effect_param_t) + voffset + p->vsize; + //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM end"); } break; case EFFECT_CMD_SET_PARAM:{ @@ -2981,10 +2926,9 @@ int Effect_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); - if (pCmdData == NULL|| - cmdSize != (int)(sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t))|| - pReplyData == NULL|| - *replySize != sizeof(int32_t)){ + if (pCmdData == NULL || + cmdSize != (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t)) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : BassBoost_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3014,10 +2958,11 @@ int Effect_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); - if (pCmdData == NULL|| - cmdSize != (int)(sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t))|| - pReplyData == NULL|| - *replySize != sizeof(int32_t)){ + if (pCmdData == NULL || + // legal parameters are int16_t or int32_t + cmdSize > (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int32_t)) || + cmdSize < (sizeof(effect_param_t) + sizeof(int32_t) +sizeof(int16_t)) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Virtualizer_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3050,7 +2995,7 @@ int Effect_command(effect_handle_t self, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || *replySize != sizeof(int32_t)) { + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Equalizer_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3068,10 +3013,10 @@ int Effect_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) +sizeof(int32_t))); - if ( pCmdData == NULL|| - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t))|| - pReplyData == NULL|| - *replySize != sizeof(int32_t)){ + if (pCmdData == NULL || + cmdSize < (sizeof(effect_param_t) + sizeof(int32_t)) || + pReplyData == NULL || replySize == NULL || + *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Volume_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; @@ -3087,7 +3032,7 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_ENABLE: ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_ENABLE start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_ENABLE: ERROR"); return -EINVAL; } @@ -3097,7 +3042,7 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_DISABLE: //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_DISABLE start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_DISABLE: ERROR"); return -EINVAL; } @@ -3107,6 +3052,11 @@ int Effect_command(effect_handle_t self, case EFFECT_CMD_SET_DEVICE: { ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_SET_DEVICE start"); + if (pCmdData == NULL){ + ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: EFFECT_CMD_SET_DEVICE: ERROR"); + return -EINVAL; + } + uint32_t device = *(uint32_t *)pCmdData; if (pContext->EffectType == LVM_BASS_BOOST) { @@ -3193,8 +3143,8 @@ int Effect_command(effect_handle_t self, break; } - if (pCmdData == NULL || - cmdSize != 2 * sizeof(uint32_t)) { + if (pCmdData == NULL || cmdSize != 2 * sizeof(uint32_t) || pReplyData == NULL || + replySize == NULL || *replySize < 2*sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Effect_command cmdCode Case: " "EFFECT_CMD_SET_VOLUME: ERROR"); return -EINVAL; diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp index 941d651..613d026 100755 --- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp +++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp @@ -212,8 +212,8 @@ extern "C" int EffectQueryEffect(uint32_t index, } /* end EffectQueryEffect */ extern "C" int EffectCreate(const effect_uuid_t *uuid, - int32_t sessionId, - int32_t ioId, + int32_t sessionId __unused, + int32_t ioId __unused, effect_handle_t *pHandle){ int ret; int i; @@ -1936,7 +1936,7 @@ int Reverb_command(effect_handle_t self, //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_INIT start"); - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_INIT: ERROR"); return -EINVAL; @@ -1947,10 +1947,8 @@ int Reverb_command(effect_handle_t self, case EFFECT_CMD_SET_CONFIG: //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_SET_CONFIG start"); - if (pCmdData == NULL || - cmdSize != sizeof(effect_config_t) || - pReplyData == NULL || - *replySize != sizeof(int)) { + if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_SET_CONFIG: ERROR"); return -EINVAL; @@ -1960,8 +1958,7 @@ int Reverb_command(effect_handle_t self, break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || - *replySize != sizeof(effect_config_t)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_GET_CONFIG: ERROR"); return -EINVAL; @@ -1979,15 +1976,16 @@ int Reverb_command(effect_handle_t self, case EFFECT_CMD_GET_PARAM:{ //ALOGV("\tReverb_command cmdCode Case: " // "EFFECT_CMD_GET_PARAM start"); - if (pCmdData == NULL || - cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t)) || - pReplyData == NULL || - *replySize < (int) (sizeof(effect_param_t) + sizeof(int32_t))){ + effect_param_t *p = (effect_param_t *)pCmdData; + + if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || + cmdSize < (sizeof(effect_param_t) + p->psize) || + pReplyData == NULL || replySize == NULL || + *replySize < (sizeof(effect_param_t) + p->psize)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; } - effect_param_t *p = (effect_param_t *)pCmdData; memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); @@ -2018,8 +2016,8 @@ int Reverb_command(effect_handle_t self, // *replySize, // *(int16_t *)((char *)pCmdData + sizeof(effect_param_t) + sizeof(int32_t))); - if (pCmdData == NULL || (cmdSize < (int)(sizeof(effect_param_t) + sizeof(int32_t))) - || pReplyData == NULL || *replySize != (int)sizeof(int32_t)) { + if (pCmdData == NULL || (cmdSize < (sizeof(effect_param_t) + sizeof(int32_t))) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { ALOGV("\tLVM_ERROR : Reverb_command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); return -EINVAL; diff --git a/media/libeffects/preprocessing/PreProcessing.cpp b/media/libeffects/preprocessing/PreProcessing.cpp index 597866a..fe9acf6 100755 --- a/media/libeffects/preprocessing/PreProcessing.cpp +++ b/media/libeffects/preprocessing/PreProcessing.cpp @@ -575,16 +575,18 @@ int NsCreate(preproc_effect_t *effect) return 0; } -int NsGetParameter(preproc_effect_t *effect, - void *pParam, - size_t *pValueSize, - void *pValue) +int NsGetParameter(preproc_effect_t *effect __unused, + void *pParam __unused, + uint32_t *pValueSize __unused, + void *pValue __unused) { int status = 0; return status; } -int NsSetParameter (preproc_effect_t *effect, void *pParam, void *pValue) +int NsSetParameter (preproc_effect_t *effect __unused, + void *pParam __unused, + void *pValue __unused) { int status = 0; return status; @@ -1434,16 +1436,17 @@ int PreProcessingFx_Command(effect_handle_t self, } break; - case EFFECT_CMD_GET_PARAM:{ - if (pCmdData == NULL || - cmdSize < (int)sizeof(effect_param_t) || - pReplyData == NULL || - *replySize < (int)sizeof(effect_param_t)){ + case EFFECT_CMD_GET_PARAM: { + effect_param_t *p = (effect_param_t *)pCmdData; + + if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || + cmdSize < (sizeof(effect_param_t) + p->psize) || + pReplyData == NULL || replySize == NULL || + *replySize < (sizeof(effect_param_t) + p->psize)){ ALOGV("PreProcessingFx_Command cmdCode Case: " "EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; } - effect_param_t *p = (effect_param_t *)pCmdData; memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); @@ -1461,8 +1464,8 @@ int PreProcessingFx_Command(effect_handle_t self, case EFFECT_CMD_SET_PARAM:{ if (pCmdData == NULL|| - cmdSize < (int)sizeof(effect_param_t) || - pReplyData == NULL || + cmdSize < sizeof(effect_param_t) || + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)){ ALOGV("PreProcessingFx_Command cmdCode Case: " "EFFECT_CMD_SET_PARAM: ERROR"); @@ -1483,7 +1486,7 @@ int PreProcessingFx_Command(effect_handle_t self, } break; case EFFECT_CMD_ENABLE: - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("PreProcessingFx_Command cmdCode Case: EFFECT_CMD_ENABLE: ERROR"); return -EINVAL; } @@ -1491,7 +1494,7 @@ int PreProcessingFx_Command(effect_handle_t self, break; case EFFECT_CMD_DISABLE: - if (pReplyData == NULL || *replySize != sizeof(int)){ + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)){ ALOGV("PreProcessingFx_Command cmdCode Case: EFFECT_CMD_DISABLE: ERROR"); return -EINVAL; } @@ -1711,7 +1714,7 @@ int PreProcessingFx_GetDescriptor(effect_handle_t self, int PreProcessingFx_ProcessReverse(effect_handle_t self, audio_buffer_t *inBuffer, - audio_buffer_t *outBuffer) + audio_buffer_t *outBuffer __unused) { preproc_effect_t * effect = (preproc_effect_t *)self; int status = 0; diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp index 44baf93..1ec755d 100644 --- a/media/libeffects/visualizer/EffectVisualizer.cpp +++ b/media/libeffects/visualizer/EffectVisualizer.cpp @@ -367,21 +367,21 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, switch (cmdCode) { case EFFECT_CMD_INIT: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_init(pContext); break; case EFFECT_CMD_SET_CONFIG: if (pCmdData == NULL || cmdSize != sizeof(effect_config_t) - || pReplyData == NULL || *replySize != sizeof(int)) { + || pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } *(int *) pReplyData = Visualizer_setConfig(pContext, (effect_config_t *) pCmdData); break; case EFFECT_CMD_GET_CONFIG: - if (pReplyData == NULL || + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(effect_config_t)) { return -EINVAL; } @@ -391,7 +391,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, Visualizer_reset(pContext); break; case EFFECT_CMD_ENABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_INITIALIZED) { @@ -402,7 +402,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, *(int *)pReplyData = 0; break; case EFFECT_CMD_DISABLE: - if (pReplyData == NULL || *replySize != sizeof(int)) { + if (pReplyData == NULL || replySize == NULL || *replySize != sizeof(int)) { return -EINVAL; } if (pContext->mState != VISUALIZER_STATE_ACTIVE) { @@ -415,7 +415,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_GET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || - pReplyData == NULL || + pReplyData == NULL || replySize == NULL || *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t))) { return -EINVAL; } @@ -447,7 +447,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case EFFECT_CMD_SET_PARAM: { if (pCmdData == NULL || cmdSize != (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint32_t)) || - pReplyData == NULL || *replySize != sizeof(int32_t)) { + pReplyData == NULL || replySize == NULL || *replySize != sizeof(int32_t)) { return -EINVAL; } *(int32_t *)pReplyData = 0; @@ -480,7 +480,7 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, case VISUALIZER_CMD_CAPTURE: - if (pReplyData == NULL || *replySize != pContext->mCaptureSize) { + if (pReplyData == NULL || replySize == NULL || *replySize != pContext->mCaptureSize) { ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d pContext->mCaptureSize %d", *replySize, pContext->mCaptureSize); return -EINVAL; -- 1.9.1