diff options
author | Andy Hung <hunga@google.com> | 2017-06-12 17:22:46 -0700 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2017-09-17 22:11:24 +0200 |
commit | 9fd7435ee2831939df35cb8871d21915c7c84f28 (patch) | |
tree | 01396e8dd304cec102500cca2fc996ba4f51d52b | |
parent | 9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2 (diff) | |
download | frameworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.tar.gz frameworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.tar.bz2 frameworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.zip |
Track: Check buffer size of static tracks
Merged-In: Ia7edd9a802905214a27961dbcec6352f6ef98f73
Test: Native POC
Bug: 38340117
Change-Id: I633caf563d3607dbe4b9be10be1687efce33469c
(cherry picked from commit f4aeab2bd69bead05ed75ae3254f53a6ab2316b5)
CVE-2017-0779
-rw-r--r-- | services/audioflinger/Tracks.cpp | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp index 98533ec5ed..b04de58e61 100644 --- a/services/audioflinger/Tracks.cpp +++ b/services/audioflinger/Tracks.cpp @@ -437,6 +437,21 @@ AudioFlinger::PlaybackThread::Track::Track( mAudioTrackServerProxy = new AudioTrackServerProxy(mCblk, mBuffer, frameCount, mFrameSize, !isExternalTrack(), sampleRate); } else { + // Is the shared buffer of sufficient size? + // (frameCount * mFrameSize) is <= SIZE_MAX, checked in TrackBase. + if (sharedBuffer->size() < frameCount * mFrameSize) { + // Workaround: clear out mCblk to indicate track hasn't been properly created. + mCblk->~audio_track_cblk_t(); // destroy our shared-structure. + if (mClient == 0) { + free(mCblk); + } + mCblk = NULL; + + mSharedBuffer.clear(); // release shared buffer early + android_errorWriteLog(0x534e4554, "38340117"); + return; + } + mAudioTrackServerProxy = new StaticAudioTrackServerProxy(mCblk, mBuffer, frameCount, mFrameSize); } |