From a18111d2db2a5e43a5ba318073986c12f9c86720 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Thu, 3 Dec 2015 18:52:10 -0800 Subject: post proc : volume listener : fix effect release crash Fix access to deleted effect context in vol_prc_lib_release() Bug: 25753245. Change-Id: I64ca99e4d5d09667be4c8c605f66700b9ae67949 (cherry picked from commit 93ab6fdda7b7557ccb34372670c30fa6178f8426) --- post_proc/volume_listener.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/post_proc/volume_listener.c b/post_proc/volume_listener.c index 34954bbc..ef632993 100644 --- a/post_proc/volume_listener.c +++ b/post_proc/volume_listener.c @@ -688,20 +688,31 @@ static int vol_prc_lib_release(effect_handle_t handle) struct listnode *node, *temp_node_next; vol_listener_context_t *context = NULL; vol_listener_context_t *recv_contex = (vol_listener_context_t *)handle; - int status = -1; + int status = -EINVAL; bool recompute_flag = false; int active_stream_count = 0; + uint32_t session_id; + uint32_t stream_type; + effect_uuid_t uuid; + ALOGV("%s context %p", __func__, handle); + + if (recv_contex == NULL) { + return status; + } pthread_mutex_lock(&vol_listner_init_lock); + session_id = recv_contex->session_id; + stream_type = recv_contex->stream_type; + uuid = recv_contex->desc->uuid; // check if the handle/context provided is valid list_for_each_safe(node, temp_node_next, &vol_effect_list) { context = node_to_item(node, struct vol_listener_context_s, effect_list_node); - if ((memcmp(&(context->desc->uuid), &(recv_contex->desc->uuid), sizeof(effect_uuid_t)) == 0) - && (context->session_id == recv_contex->session_id) - && (context->stream_type == recv_contex->stream_type)) { + if ((memcmp(&(context->desc->uuid), &uuid, sizeof(effect_uuid_t)) == 0) + && (context->session_id == session_id) + && (context->stream_type == stream_type)) { ALOGV("--- Found something to remove ---"); - list_remove(&context->effect_list_node); + list_remove(node); PRINT_STREAM_TYPE(context->stream_type); if (context->dev_id == AUDIO_DEVICE_OUT_SPEAKER) { recompute_flag = true; @@ -715,6 +726,8 @@ static int vol_prc_lib_release(effect_handle_t handle) if (status != 0) { ALOGE("something wrong ... <<<--- Found NOTHING to remove ... ???? --->>>>>"); + pthread_mutex_unlock(&vol_listner_init_lock); + return status; } // if there are no active streams, reset cal and volume level -- cgit v1.2.3 From 073a80800f341325932c66818ce4302b312909a4 Mon Sep 17 00:00:00 2001 From: Andy Hung Date: Thu, 28 Apr 2016 13:43:44 -0700 Subject: DO NOT MERGE Fix AudioEffect reply overflow Bug: 28173666 Change-Id: I055af37a721b20c5da0f1ec4b02f630dcd5aee02 --- post_proc/bundle.c | 5 +++-- voice_processing/voice_processing.c | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/post_proc/bundle.c b/post_proc/bundle.c index a6b07278..df327ab7 100644 --- a/post_proc/bundle.c +++ b/post_proc/bundle.c @@ -621,8 +621,9 @@ int effect_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, if (pCmdData == NULL || cmdSize < (int)(sizeof(effect_param_t) + sizeof(uint32_t)) || pReplyData == NULL || - *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + - sizeof(uint16_t))) { + *replySize < (int)(sizeof(effect_param_t) + sizeof(uint32_t) + sizeof(uint16_t)) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { status = -EINVAL; ALOGV("EFFECT_CMD_GET_PARAM invalid command cmdSize %d *replySize %d", cmdSize, *replySize); diff --git a/voice_processing/voice_processing.c b/voice_processing/voice_processing.c index b3f97c6a..7d2b5929 100644 --- a/voice_processing/voice_processing.c +++ b/voice_processing/voice_processing.c @@ -560,7 +560,9 @@ static int fx_command(effect_handle_t self, if (pCmdData == NULL || cmdSize < (int)sizeof(effect_param_t) || pReplyData == NULL || - *replySize < (int)sizeof(effect_param_t)) { + *replySize < (int)sizeof(effect_param_t) || + // constrain memcpy below + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t)) { ALOGV("fx_command() EFFECT_CMD_GET_PARAM invalid args"); return -EINVAL; } -- cgit v1.2.3