Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

frameworks-av: Commit

frameworks/av


Commit MetaInfo

Revision30799e0cc79cc7bc5c18825483f6732cd53709c4 (tree)
Time2017-03-24 00:09:33
AuthorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Android 6.0.1 release 79
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAli9mFkACgkQ6K0/gZqxDnhXFACdHQnxQOvH3WkKGa1KqoZCystz
fkAAnAhkK+wsjsxSlABMAfN15SyH3hIe
=jysC
-----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r79' into marshmallow-x86

Android 6.0.1 release 79

Change Summary

Incremental Difference

--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -2354,8 +2354,12 @@ int Equalizer_getParameter(EffectContext *pContext,
23542354
23552355 case EQ_PARAM_BAND_LEVEL:
23562356 param2 = *pParamTemp;
2357- if (param2 >= FIVEBAND_NUMBANDS) {
2357+ if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {
23582358 status = -EINVAL;
2359+ if (param2 < 0) {
2360+ android_errorWriteLog(0x534e4554, "32438598");
2361+ ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_LEVEL band %d", param2);
2362+ }
23592363 break;
23602364 }
23612365 *(int16_t *)pValue = (int16_t)EqualizerGetBandLevel(pContext, param2);
@@ -2365,8 +2369,12 @@ int Equalizer_getParameter(EffectContext *pContext,
23652369
23662370 case EQ_PARAM_CENTER_FREQ:
23672371 param2 = *pParamTemp;
2368- if (param2 >= FIVEBAND_NUMBANDS) {
2372+ if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {
23692373 status = -EINVAL;
2374+ if (param2 < 0) {
2375+ android_errorWriteLog(0x534e4554, "32436341");
2376+ ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_CENTER_FREQ band %d", param2);
2377+ }
23702378 break;
23712379 }
23722380 *(int32_t *)pValue = EqualizerGetCentreFrequency(pContext, param2);
@@ -2376,8 +2384,12 @@ int Equalizer_getParameter(EffectContext *pContext,
23762384
23772385 case EQ_PARAM_BAND_FREQ_RANGE:
23782386 param2 = *pParamTemp;
2379- if (param2 >= FIVEBAND_NUMBANDS) {
2387+ if (param2 < 0 || param2 >= FIVEBAND_NUMBANDS) {
23802388 status = -EINVAL;
2389+ if (param2 < 0) {
2390+ android_errorWriteLog(0x534e4554, "32247948");
2391+ ALOGW("\tERROR Equalizer_getParameter() EQ_PARAM_BAND_FREQ_RANGE band %d", param2);
2392+ }
23812393 break;
23822394 }
23832395 EqualizerGetBandFreqRange(pContext, param2, (uint32_t *)pValue, ((uint32_t *)pValue + 1));
@@ -2404,9 +2416,13 @@ int Equalizer_getParameter(EffectContext *pContext,
24042416
24052417 case EQ_PARAM_GET_PRESET_NAME:
24062418 param2 = *pParamTemp;
2407- if (param2 >= EqualizerGetNumPresets()) {
2408- //if (param2 >= 20) { // AGO FIX
2419+ if ((param2 < 0 && param2 != PRESET_CUSTOM) || param2 >= EqualizerGetNumPresets()) {
24092420 status = -EINVAL;
2421+ if (param2 < 0) {
2422+ android_errorWriteLog(0x534e4554, "32448258");
2423+ ALOGE("\tERROR Equalizer_getParameter() EQ_PARAM_GET_PRESET_NAME preset %d",
2424+ param2);
2425+ }
24102426 break;
24112427 }
24122428 name = (char *)pValue;
@@ -2476,8 +2492,12 @@ int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue)
24762492 band = *pParamTemp;
24772493 level = (int32_t)(*(int16_t *)pValue);
24782494 //ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
2479- if (band >= FIVEBAND_NUMBANDS) {
2495+ if (band < 0 || band >= FIVEBAND_NUMBANDS) {
24802496 status = -EINVAL;
2497+ if (band < 0) {
2498+ android_errorWriteLog(0x534e4554, "32095626");
2499+ ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_BAND_LEVEL band %d", band);
2500+ }
24812501 break;
24822502 }
24832503 EqualizerSetBandLevel(pContext, band, level);
@@ -3091,10 +3111,6 @@ int Effect_command(effect_handle_t self,
30913111 //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");
30923112
30933113 effect_param_t *p = (effect_param_t *)pCmdData;
3094- if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
3095- android_errorWriteLog(0x534e4554, "26347509");
3096- return -EINVAL;
3097- }
30983114 if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
30993115 cmdSize < (sizeof(effect_param_t) + p->psize) ||
31003116 pReplyData == NULL || replySize == NULL ||
@@ -3102,13 +3118,32 @@ int Effect_command(effect_handle_t self,
31023118 ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR");
31033119 return -EINVAL;
31043120 }
3121+ if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
3122+ android_errorWriteLog(0x534e4554, "26347509");
3123+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big");
3124+ return -EINVAL;
3125+ }
3126+ uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) *
3127+ sizeof(int32_t);
3128+ if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) ||
3129+ (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize <
3130+ p->vsize)) {
3131+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big");
3132+ return -EINVAL;
3133+ }
3134+ uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize;
3135+ if (*replySize < expectedReplySize) {
3136+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes",
3137+ expectedReplySize, *replySize);
3138+ android_errorWriteLog(0x534e4554, "32705438");
3139+ return -EINVAL;
3140+ }
31053141
31063142 memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize);
31073143
31083144 p = (effect_param_t *)pReplyData;
31093145
3110- int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
3111-
3146+ uint32_t voffset = paddedParamSize;
31123147 if(pContext->EffectType == LVM_BASS_BOOST){
31133148 p->status = android::BassBoost_getParameter(pContext,
31143149 p->data,
--- a/media/libeffects/visualizer/EffectVisualizer.cpp
+++ b/media/libeffects/visualizer/EffectVisualizer.cpp
@@ -59,6 +59,8 @@ enum visualizer_state_e {
5959
6060 #define DISCARD_MEASUREMENTS_TIME_MS 2000 // discard measurements older than this number of ms
6161
62+#define MAX_LATENCY_MS 3000 // 3 seconds of latency for audio pipeline
63+
6264 // maximum number of buffers for which we keep track of the measurements
6365 #define MEASUREMENT_WINDOW_MAX_SIZE_IN_BUFFERS 25 // note: buffer index is stored in uint8_t
6466
@@ -521,18 +523,29 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
521523 break;
522524 }
523525 switch (*(uint32_t *)p->data) {
524- case VISUALIZER_PARAM_CAPTURE_SIZE:
525- pContext->mCaptureSize = *((uint32_t *)p->data + 1);
526- ALOGV("set mCaptureSize = %" PRIu32, pContext->mCaptureSize);
527- break;
526+ case VISUALIZER_PARAM_CAPTURE_SIZE: {
527+ const uint32_t captureSize = *((uint32_t *)p->data + 1);
528+ if (captureSize > VISUALIZER_CAPTURE_SIZE_MAX) {
529+ android_errorWriteLog(0x534e4554, "31781965");
530+ *(int32_t *)pReplyData = -EINVAL;
531+ ALOGW("set mCaptureSize = %u > %u", captureSize, VISUALIZER_CAPTURE_SIZE_MAX);
532+ } else {
533+ pContext->mCaptureSize = captureSize;
534+ ALOGV("set mCaptureSize = %u", captureSize);
535+ }
536+ } break;
528537 case VISUALIZER_PARAM_SCALING_MODE:
529538 pContext->mScalingMode = *((uint32_t *)p->data + 1);
530539 ALOGV("set mScalingMode = %" PRIu32, pContext->mScalingMode);
531540 break;
532- case VISUALIZER_PARAM_LATENCY:
533- pContext->mLatency = *((uint32_t *)p->data + 1);
534- ALOGV("set mLatency = %" PRIu32, pContext->mLatency);
535- break;
541+ case VISUALIZER_PARAM_LATENCY: {
542+ uint32_t latency = *((uint32_t *)p->data + 1);
543+ if (latency > MAX_LATENCY_MS) {
544+ latency = MAX_LATENCY_MS; // clamp latency b/31781965
545+ }
546+ pContext->mLatency = latency;
547+ ALOGV("set mLatency = %u", latency);
548+ } break;
536549 case VISUALIZER_PARAM_MEASUREMENT_MODE:
537550 pContext->mMeasurementMode = *((uint32_t *)p->data + 1);
538551 ALOGV("set mMeasurementMode = %" PRIu32, pContext->mMeasurementMode);
@@ -571,10 +584,18 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
571584 if (latencyMs < 0) {
572585 latencyMs = 0;
573586 }
574- const uint32_t deltaSmpl =
575- pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;
576- int32_t capturePoint = pContext->mCaptureIdx - captureSize - deltaSmpl;
587+ uint32_t deltaSmpl = captureSize
588+ + pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;
589+
590+ // large sample rate, latency, or capture size, could cause overflow.
591+ // do not offset more than the size of buffer.
592+ if (deltaSmpl > CAPTURE_BUF_SIZE) {
593+ android_errorWriteLog(0x534e4554, "31781965");
594+ deltaSmpl = CAPTURE_BUF_SIZE;
595+ }
577596
597+ int32_t capturePoint = pContext->mCaptureIdx - deltaSmpl;
598+ // a negative capturePoint means we wrap the buffer.
578599 if (capturePoint < 0) {
579600 uint32_t size = -capturePoint;
580601 if (size > captureSize) {
@@ -602,9 +623,14 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
602623 case VISUALIZER_CMD_MEASURE: {
603624 if (pReplyData == NULL || replySize == NULL ||
604625 *replySize < (sizeof(int32_t) * MEASUREMENT_COUNT)) {
605- ALOGV("VISUALIZER_CMD_MEASURE() error *replySize %" PRIu32
606- " < (sizeof(int32_t) * MEASUREMENT_COUNT) %" PRIu32, *replySize,
607- sizeof(int32_t) * MEASUREMENT_COUNT);
626+ if (replySize == NULL) {
627+ ALOGV("VISUALIZER_CMD_MEASURE() error replySize NULL");
628+ } else {
629+ ALOGV("VISUALIZER_CMD_MEASURE() error *replySize %" PRIu32
630+ " < (sizeof(int32_t) * MEASUREMENT_COUNT) %" PRIu32,
631+ *replySize,
632+ uint32_t(sizeof(int32_t)) * MEASUREMENT_COUNT);
633+ }
608634 android_errorWriteLog(0x534e4554, "30229821");
609635 return -EINVAL;
610636 }
--- a/media/libmedia/IEffect.cpp
+++ b/media/libmedia/IEffect.cpp
@@ -25,6 +25,9 @@
2525
2626 namespace android {
2727
28+// Maximum command/reply size expected
29+#define EFFECT_PARAM_SIZE_MAX 65536
30+
2831 enum {
2932 ENABLE = IBinder::FIRST_CALL_TRANSACTION,
3033 DISABLE,
@@ -156,6 +159,10 @@ status_t BnEffect::onTransact(
156159 uint32_t cmdSize = data.readInt32();
157160 char *cmd = NULL;
158161 if (cmdSize) {
162+ if (cmdSize > EFFECT_PARAM_SIZE_MAX) {
163+ reply->writeInt32(NO_MEMORY);
164+ return NO_ERROR;
165+ }
159166 cmd = (char *)calloc(cmdSize, 1);
160167 if (cmd == NULL) {
161168 reply->writeInt32(NO_MEMORY);
@@ -167,6 +174,11 @@ status_t BnEffect::onTransact(
167174 uint32_t replySz = replySize;
168175 char *resp = NULL;
169176 if (replySize) {
177+ if (replySize > EFFECT_PARAM_SIZE_MAX) {
178+ free(cmd);
179+ reply->writeInt32(NO_MEMORY);
180+ return NO_ERROR;
181+ }
170182 resp = (char *)calloc(replySize, 1);
171183 if (resp == NULL) {
172184 free(cmd);
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -472,7 +472,8 @@ sp<MetaData> MPEG4Extractor::getTrackMetaData(
472472 } else {
473473 uint32_t sampleIndex;
474474 uint32_t sampleTime;
475- if (track->sampleTable->findThumbnailSample(&sampleIndex) == OK
475+ if (track->timescale != 0 &&
476+ track->sampleTable->findThumbnailSample(&sampleIndex) == OK
476477 && track->sampleTable->getMetaDataForSample(
477478 sampleIndex, NULL /* offset */, NULL /* size */,
478479 &sampleTime) == OK) {
@@ -886,6 +887,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
886887 case FOURCC('s', 'c', 'h', 'i'):
887888 case FOURCC('e', 'd', 't', 's'):
888889 {
890+ if (chunk_type == FOURCC('m', 'o', 'o', 'v') && depth != 0) {
891+ ALOGE("moov: depth %d", depth);
892+ return ERROR_MALFORMED;
893+ }
889894 if (chunk_type == FOURCC('m', 'o', 'o', 'f') && !mMoofFound) {
890895 // store the offset of the first segment
891896 mMoofFound = true;
@@ -914,6 +919,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
914919
915920 bool isTrack = false;
916921 if (chunk_type == FOURCC('t', 'r', 'a', 'k')) {
922+ if (depth != 1) {
923+ ALOGE("trak: depth %d", depth);
924+ return ERROR_MALFORMED;
925+ }
917926 isTrack = true;
918927
919928 Track *track = new Track;
@@ -937,6 +946,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
937946 while (*offset < stop_offset) {
938947 status_t err = parseChunk(offset, depth + 1);
939948 if (err != OK) {
949+ if (isTrack) {
950+ mLastTrack->skipTrack = true;
951+ break;
952+ }
940953 return err;
941954 }
942955 }
@@ -1282,10 +1295,6 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
12821295
12831296 case FOURCC('s', 't', 's', 'd'):
12841297 {
1285- if (chunk_data_size < 8) {
1286- return ERROR_MALFORMED;
1287- }
1288-
12891298 uint8_t buffer[8];
12901299 if (chunk_data_size < (off64_t)sizeof(buffer)) {
12911300 return ERROR_MALFORMED;
@@ -1865,6 +1874,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
18651874 {
18661875 *offset += chunk_size;
18671876
1877+ if (depth != 1) {
1878+ ALOGE("mvhd: depth %d", depth);
1879+ return ERROR_MALFORMED;
1880+ }
18681881 if (chunk_data_size < 32) {
18691882 return ERROR_MALFORMED;
18701883 }
--- a/media/libstagefright/VBRISeeker.cpp
+++ b/media/libstagefright/VBRISeeker.cpp
@@ -83,8 +83,23 @@ sp<VBRISeeker> VBRISeeker::CreateFromSource(
8383 scale,
8484 entrySize);
8585
86+ if (entrySize > 4) {
87+ ALOGE("invalid VBRI entry size: %zu", entrySize);
88+ return NULL;
89+ }
90+
91+ sp<VBRISeeker> seeker = new (std::nothrow) VBRISeeker;
92+ if (seeker == NULL) {
93+ ALOGW("Couldn't allocate VBRISeeker");
94+ return NULL;
95+ }
96+
8697 size_t totalEntrySize = numEntries * entrySize;
87- uint8_t *buffer = new uint8_t[totalEntrySize];
98+ uint8_t *buffer = new (std::nothrow) uint8_t[totalEntrySize];
99+ if (!buffer) {
100+ ALOGW("Couldn't allocate %zu bytes", totalEntrySize);
101+ return NULL;
102+ }
88103
89104 n = source->readAt(pos + sizeof(vbriHeader), buffer, totalEntrySize);
90105 if (n < (ssize_t)totalEntrySize) {
@@ -94,7 +109,6 @@ sp<VBRISeeker> VBRISeeker::CreateFromSource(
94109 return NULL;
95110 }
96111
97- sp<VBRISeeker> seeker = new VBRISeeker;
98112 seeker->mBasePos = post_id3_pos + frameSize;
99113 // only update mDurationUs if the calculated duration is valid (non zero)
100114 // otherwise, leave duration at -1 so that getDuration() and getOffsetForTime()
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -831,20 +831,21 @@ void ID3::Iterator::findFrame() {
831831 }
832832 }
833833
834-static size_t StringSize(const uint8_t *start, uint8_t encoding) {
834+// return includes terminator; if unterminated, returns > limit
835+static size_t StringSize(const uint8_t *start, size_t limit, uint8_t encoding) {
836+
835837 if (encoding == 0x00 || encoding == 0x03) {
836838 // ISO 8859-1 or UTF-8
837- return strlen((const char *)start) + 1;
839+ return strnlen((const char *)start, limit) + 1;
838840 }
839841
840842 // UCS-2
841843 size_t n = 0;
842- while (start[n] != '\0' || start[n + 1] != '\0') {
844+ while ((n+1 < limit) && (start[n] != '\0' || start[n + 1] != '\0')) {
843845 n += 2;
844846 }
845-
846- // Add size of null termination.
847- return n + 2;
847+ n += 2;
848+ return n;
848849 }
849850
850851 const void *
@@ -862,11 +863,19 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
862863
863864 if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) {
864865 uint8_t encoding = data[0];
865- mime->setTo((const char *)&data[1]);
866- size_t mimeLen = strlen((const char *)&data[1]) + 1;
866+ size_t consumed = 1;
867+
868+ // *always* in an 8-bit encoding
869+ size_t mimeLen = StringSize(&data[consumed], size - consumed, 0x00);
870+ if (mimeLen > size - consumed) {
871+ ALOGW("bogus album art size: mime");
872+ return NULL;
873+ }
874+ mime->setTo((const char *)&data[consumed]);
875+ consumed += mimeLen;
867876
868877 #if 0
869- uint8_t picType = data[1 + mimeLen];
878+ uint8_t picType = data[consumed];
870879 if (picType != 0x03) {
871880 // Front Cover Art
872881 it.next();
@@ -874,20 +883,30 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
874883 }
875884 #endif
876885
877- size_t descLen = StringSize(&data[2 + mimeLen], encoding);
886+ consumed++;
887+ if (consumed >= size) {
888+ ALOGW("bogus album art size: pic type");
889+ return NULL;
890+ }
891+
892+ size_t descLen = StringSize(&data[consumed], size - consumed, encoding);
893+ consumed += descLen;
878894
879- if (size < 2 ||
880- size - 2 < mimeLen ||
881- size - 2 - mimeLen < descLen) {
882- ALOGW("bogus album art sizes");
895+ if (consumed >= size) {
896+ ALOGW("bogus album art size: description");
883897 return NULL;
884898 }
885- *length = size - 2 - mimeLen - descLen;
886899
887- return &data[2 + mimeLen + descLen];
900+ *length = size - consumed;
901+
902+ return &data[consumed];
888903 } else {
889904 uint8_t encoding = data[0];
890905
906+ if (size <= 5) {
907+ return NULL;
908+ }
909+
891910 if (!memcmp(&data[1], "PNG", 3)) {
892911 mime->setTo("image/png");
893912 } else if (!memcmp(&data[1], "JPG", 3)) {
@@ -907,7 +926,10 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
907926 }
908927 #endif
909928
910- size_t descLen = StringSize(&data[5], encoding);
929+ size_t descLen = StringSize(&data[5], size - 5, encoding);
930+ if (descLen > size - 5) {
931+ return NULL;
932+ }
911933
912934 *length = size - 5 - descLen;
913935
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -167,8 +167,10 @@ struct BufferMeta {
167167 return buf;
168168 }
169169
170- bool copyToOmx() const {
171- return mCopyToOmx;
170+ bool copyingOrSharingToOmx(const OMX_BUFFERHEADERTYPE *header) const {
171+ return mCopyToOmx
172+ // sharing buffer with client
173+ || (mMem != NULL && mMem->pointer() == header->pBuffer);
172174 }
173175
174176 void setGraphicBuffer(const sp<GraphicBuffer> &graphicBuffer) {
@@ -780,13 +782,6 @@ status_t OMXNodeInstance::useBuffer(
780782 }
781783 memset(data, 0, allottedSize);
782784
783- // if we are not connecting the buffers, the sizes must match
784- if (allottedSize != params->size()) {
785- CLOG_ERROR(useBuffer, BAD_VALUE, SIMPLE_BUFFER(portIndex, (size_t)allottedSize, data));
786- delete[] data;
787- return BAD_VALUE;
788- }
789-
790785 buffer_meta = new BufferMeta(
791786 params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data);
792787 } else {
@@ -1279,7 +1274,7 @@ status_t OMXNodeInstance::emptyBuffer(
12791274
12801275 // convert incoming ANW meta buffers if component is configured for gralloc metadata mode
12811276 // ignore rangeOffset in this case
1282- if (buffer_meta->copyToOmx()
1277+ if (buffer_meta->copyingOrSharingToOmx(header)
12831278 && mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource
12841279 && backup->capacity() >= sizeof(VideoNativeMetadata)
12851280 && codec->capacity() >= sizeof(VideoGrallocMetadata)
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -571,6 +571,29 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
571571 android_errorWriteLog(0x534e4554, "29251553");
572572 return -EINVAL;
573573 }
574+ if (cmdCode == EFFECT_CMD_GET_PARAM &&
575+ (sizeof(effect_param_t) > cmdSize ||
576+ ((effect_param_t *)pCmdData)->psize > cmdSize
577+ - sizeof(effect_param_t))) {
578+ android_errorWriteLog(0x534e4554, "32438594");
579+ return -EINVAL;
580+ }
581+ if (cmdCode == EFFECT_CMD_GET_PARAM &&
582+ (sizeof(effect_param_t) > *replySize
583+ || ((effect_param_t *)pCmdData)->psize > *replySize
584+ - sizeof(effect_param_t)
585+ || ((effect_param_t *)pCmdData)->vsize > *replySize
586+ - sizeof(effect_param_t)
587+ - ((effect_param_t *)pCmdData)->psize
588+ || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) >
589+ *replySize
590+ - sizeof(effect_param_t)
591+ - ((effect_param_t *)pCmdData)->psize
592+ - ((effect_param_t *)pCmdData)->vsize)) {
593+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: reply size inconsistent");
594+ android_errorWriteLog(0x534e4554, "32705438");
595+ return -EINVAL;
596+ }
574597 if ((cmdCode == EFFECT_CMD_SET_PARAM
575598 || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used
576599 (sizeof(effect_param_t) > cmdSize
@@ -1254,36 +1277,54 @@ status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode,
12541277 // particular client process: no risk to block the whole media server process or mixer
12551278 // threads if we are stuck here
12561279 Mutex::Autolock _l(mCblk->lock);
1257- if (mCblk->clientIndex > EFFECT_PARAM_BUFFER_SIZE ||
1258- mCblk->serverIndex > EFFECT_PARAM_BUFFER_SIZE) {
1280+
1281+ // keep local copy of index in case of client corruption b/32220769
1282+ const uint32_t clientIndex = mCblk->clientIndex;
1283+ const uint32_t serverIndex = mCblk->serverIndex;
1284+ if (clientIndex > EFFECT_PARAM_BUFFER_SIZE ||
1285+ serverIndex > EFFECT_PARAM_BUFFER_SIZE) {
12591286 mCblk->serverIndex = 0;
12601287 mCblk->clientIndex = 0;
12611288 return BAD_VALUE;
12621289 }
12631290 status_t status = NO_ERROR;
1264- while (mCblk->serverIndex < mCblk->clientIndex) {
1265- int reply;
1266- uint32_t rsize = sizeof(int);
1267- int *p = (int *)(mBuffer + mCblk->serverIndex);
1268- int size = *p++;
1269- if (((uint8_t *)p + size) > mBuffer + mCblk->clientIndex) {
1291+ effect_param_t *param = NULL;
1292+ for (uint32_t index = serverIndex; index < clientIndex;) {
1293+ int *p = (int *)(mBuffer + index);
1294+ const int size = *p++;
1295+ if (size < 0
1296+ || size > EFFECT_PARAM_BUFFER_SIZE
1297+ || ((uint8_t *)p + size) > mBuffer + clientIndex) {
12701298 ALOGW("command(): invalid parameter block size");
1299+ status = BAD_VALUE;
12711300 break;
12721301 }
1273- effect_param_t *param = (effect_param_t *)p;
1274- if (param->psize == 0 || param->vsize == 0) {
1275- ALOGW("command(): null parameter or value size");
1276- mCblk->serverIndex += size;
1277- continue;
1302+
1303+ // copy to local memory in case of client corruption b/32220769
1304+ param = (effect_param_t *)realloc(param, size);
1305+ if (param == NULL) {
1306+ ALOGW("command(): out of memory");
1307+ status = NO_MEMORY;
1308+ break;
12781309 }
1279- uint32_t psize = sizeof(effect_param_t) +
1280- ((param->psize - 1) / sizeof(int) + 1) * sizeof(int) +
1281- param->vsize;
1310+ memcpy(param, p, size);
1311+
1312+ int reply = 0;
1313+ uint32_t rsize = sizeof(reply);
12821314 status_t ret = mEffect->command(EFFECT_CMD_SET_PARAM,
1283- psize,
1284- p,
1315+ size,
1316+ param,
12851317 &rsize,
12861318 &reply);
1319+
1320+ // verify shared memory: server index shouldn't change; client index can't go back.
1321+ if (serverIndex != mCblk->serverIndex
1322+ || clientIndex > mCblk->clientIndex) {
1323+ android_errorWriteLog(0x534e4554, "32220769");
1324+ status = BAD_VALUE;
1325+ break;
1326+ }
1327+
12871328 // stop at first error encountered
12881329 if (ret != NO_ERROR) {
12891330 status = ret;
@@ -1293,8 +1334,9 @@ status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode,
12931334 *(int *)pReplyData = reply;
12941335 break;
12951336 }
1296- mCblk->serverIndex += size;
1337+ index += size;
12971338 }
1339+ free(param);
12981340 mCblk->serverIndex = 0;
12991341 mCblk->clientIndex = 0;
13001342 return status;
Show on old repository browser