diff options
author | Andy Hung <hunga@google.com> | 2017-02-13 18:50:48 -0800 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2017-09-17 22:11:22 +0200 |
commit | 9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2 (patch) | |
tree | 506cb8f8f835989497ffcf50e7b121659c3ab997 | |
parent | d7b3d7418d569a0fc98de373fb3bdf878826be2e (diff) | |
download | frameworks_av-9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2.tar.gz frameworks_av-9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2.tar.bz2 frameworks_av-9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2.zip |
AudioFlinger: Fix memory allocation for client-less tracks
Test: Ringtone with BT
Bug: 35350587
Bug: 38340117
Change-Id: If247d319d58f8f4d18b49f58ec950491871ebb2d
(cherry picked from commit afb31487f3156a7284d2f0d06646c7bc00d99537)
(cherry picked from commit 1159ffd5e3f832206982d45a7b030b943cc4775e)
CVE-2017-0779
-rw-r--r-- | services/audioflinger/Tracks.cpp | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp index 77a929a05c..98533ec5ed 100644 --- a/services/audioflinger/Tracks.cpp +++ b/services/audioflinger/Tracks.cpp @@ -145,9 +145,11 @@ AudioFlinger::ThreadBase::TrackBase::TrackBase( return; } } else { - // this syntax avoids calling the audio_track_cblk_t constructor twice - mCblk = (audio_track_cblk_t *) new uint8_t[size]; - // assume mCblk != NULL + mCblk = (audio_track_cblk_t *) malloc(size); + if (mCblk == NULL) { + ALOGE("not enough memory for AudioTrack size=%zu", size); + return; + } } // construct the shared structure in-place. @@ -239,10 +241,9 @@ AudioFlinger::ThreadBase::TrackBase::~TrackBase() // delete the proxy before deleting the shared memory it refers to, to avoid dangling reference delete mServerProxy; if (mCblk != NULL) { + mCblk->~audio_track_cblk_t(); // destroy our shared-structure. if (mClient == 0) { - delete mCblk; - } else { - mCblk->~audio_track_cblk_t(); // destroy our shared-structure. + free(mCblk); } } mCblkMemory.clear(); // free the shared memory before releasing the heap it belongs to |