DO NOT MERGE - audio policy service: fix possible memory overflow
Add limit on number of audio ports and patches requested by
listaudioPorts() and listAudioPatches().
Bug: 19261727.
Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580
(cherry picked from commit 1d670b11313250442455a22f1056ad649d607fb2)
diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp
index 70551c4..12efa8a 100644
--- a/media/libmedia/IAudioPolicyService.cpp
+++ b/media/libmedia/IAudioPolicyService.cpp
@@ -73,6 +73,8 @@
REGISTER_POLICY_MIXES,
};
+#define MAX_ITEMS_PER_LIST 1024
+
class BpAudioPolicyService : public BpInterface<IAudioPolicyService>
{
public:
@@ -1054,10 +1056,18 @@
audio_port_role_t role = (audio_port_role_t)data.readInt32();
audio_port_type_t type = (audio_port_type_t)data.readInt32();
unsigned int numPortsReq = data.readInt32();
+ if (numPortsReq > MAX_ITEMS_PER_LIST) {
+ numPortsReq = MAX_ITEMS_PER_LIST;
+ }
unsigned int numPorts = numPortsReq;
- unsigned int generation;
struct audio_port *ports =
(struct audio_port *)calloc(numPortsReq, sizeof(struct audio_port));
+ if (ports == NULL) {
+ reply->writeInt32(NO_MEMORY);
+ reply->writeInt32(0);
+ return NO_ERROR;
+ }
+ unsigned int generation;
status_t status = listAudioPorts(role, type, &numPorts, ports, &generation);
reply->writeInt32(status);
reply->writeInt32(numPorts);
@@ -1111,11 +1121,19 @@
case LIST_AUDIO_PATCHES: {
CHECK_INTERFACE(IAudioPolicyService, data, reply);
unsigned int numPatchesReq = data.readInt32();
+ if (numPatchesReq > MAX_ITEMS_PER_LIST) {
+ numPatchesReq = MAX_ITEMS_PER_LIST;
+ }
unsigned int numPatches = numPatchesReq;
- unsigned int generation;
struct audio_patch *patches =
(struct audio_patch *)calloc(numPatchesReq,
sizeof(struct audio_patch));
+ if (patches == NULL) {
+ reply->writeInt32(NO_MEMORY);
+ reply->writeInt32(0);
+ return NO_ERROR;
+ }
+ unsigned int generation;
status_t status = listAudioPatches(&numPatches, patches, &generation);
reply->writeInt32(status);
reply->writeInt32(numPatches);
