summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndy Hung <hunga@google.com>2017-06-12 17:22:46 -0700
committerAndreas Blaesius <skate4life@gmx.de>2017-09-17 22:11:24 +0200
commit9fd7435ee2831939df35cb8871d21915c7c84f28 (patch)
tree01396e8dd304cec102500cca2fc996ba4f51d52b
parent9f1b7cd58f8b6bd4b95769f8ec0624c15a5d72a2 (diff)
downloadframeworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.tar.gz
frameworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.tar.bz2
frameworks_av-9fd7435ee2831939df35cb8871d21915c7c84f28.zip
Track: Check buffer size of static tracks
Merged-In: Ia7edd9a802905214a27961dbcec6352f6ef98f73 Test: Native POC Bug: 38340117 Change-Id: I633caf563d3607dbe4b9be10be1687efce33469c (cherry picked from commit f4aeab2bd69bead05ed75ae3254f53a6ab2316b5) CVE-2017-0779
-rw-r--r--services/audioflinger/Tracks.cpp15
1 files changed, 15 insertions, 0 deletions
diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp
index 98533ec5ed..b04de58e61 100644
--- a/services/audioflinger/Tracks.cpp
+++ b/services/audioflinger/Tracks.cpp
@@ -437,6 +437,21 @@ AudioFlinger::PlaybackThread::Track::Track(
mAudioTrackServerProxy = new AudioTrackServerProxy(mCblk, mBuffer, frameCount,
mFrameSize, !isExternalTrack(), sampleRate);
} else {
+ // Is the shared buffer of sufficient size?
+ // (frameCount * mFrameSize) is <= SIZE_MAX, checked in TrackBase.
+ if (sharedBuffer->size() < frameCount * mFrameSize) {
+ // Workaround: clear out mCblk to indicate track hasn't been properly created.
+ mCblk->~audio_track_cblk_t(); // destroy our shared-structure.
+ if (mClient == 0) {
+ free(mCblk);
+ }
+ mCblk = NULL;
+
+ mSharedBuffer.clear(); // release shared buffer early
+ android_errorWriteLog(0x534e4554, "38340117");
+ return;
+ }
+
mAudioTrackServerProxy = new StaticAudioTrackServerProxy(mCblk, mBuffer, frameCount,
mFrameSize);
}