Google Git
Sign in
android/platform/frameworks/av/6dc6c38^!/.
commit
6dc6c38b63b0ec5a72bd956c4821b9d00d3ab123
[log]
author
Eric Laurent <elaurent@google.com>
Fri Feb 06 10:44:24 2015 -0800
committer
The Android Automerger <android-build@google.com>
Wed Mar 25 18:49:25 2015 -0700
tree
055d8f09c85491920c54dced2498f2dc1c4103cf
parent
e2c8023444bf96739ff0e4cbaebc086bb73d3bf0 [diff]
DO NOT MERGE - audio policy service: fix possible memory overflow

Add limit on number of audio ports and patches requested by
listaudioPorts() and listAudioPatches().

Bug: 19261727.
Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580
(cherry picked from commit 1d670b11313250442455a22f1056ad649d607fb2)

diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp
index 70551c4..12efa8a 100644
--- a/media/libmedia/IAudioPolicyService.cpp
+++ b/media/libmedia/IAudioPolicyService.cpp

@@ -73,6 +73,8 @@
     REGISTER_POLICY_MIXES,
 };
 
+#define MAX_ITEMS_PER_LIST 1024
+
 class BpAudioPolicyService : public BpInterface<IAudioPolicyService>
 {
 public:
@@ -1054,10 +1056,18 @@
             audio_port_role_t role = (audio_port_role_t)data.readInt32();
             audio_port_type_t type = (audio_port_type_t)data.readInt32();
             unsigned int numPortsReq = data.readInt32();
+            if (numPortsReq > MAX_ITEMS_PER_LIST) {
+                numPortsReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPorts = numPortsReq;
-            unsigned int generation;
             struct audio_port *ports =
                     (struct audio_port *)calloc(numPortsReq, sizeof(struct audio_port));
+            if (ports == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPorts(role, type, &numPorts, ports, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPorts);
@@ -1111,11 +1121,19 @@
         case LIST_AUDIO_PATCHES: {
             CHECK_INTERFACE(IAudioPolicyService, data, reply);
             unsigned int numPatchesReq = data.readInt32();
+            if (numPatchesReq > MAX_ITEMS_PER_LIST) {
+                numPatchesReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPatches = numPatchesReq;
-            unsigned int generation;
             struct audio_patch *patches =
                     (struct audio_patch *)calloc(numPatchesReq,
                                                  sizeof(struct audio_patch));
+            if (patches == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPatches(&numPatches, patches, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPatches);