diff options
author | Ryszard Grzesica <ryszard.grzesica@sonymobile.com> | 2014-01-17 11:40:16 +0100 |
---|---|---|
committer | Takeshi Aimi <takeshi.aimi@sonymobile.com> | 2014-02-20 02:01:35 +0900 |
commit | abb7b17613fff41433cda94207eb535c9fed8fba (patch) | |
tree | 1ccb9a72843f7b023cbd9b5365fc6c424b672dc7 /media/libeffects/visualizer/EffectVisualizer.cpp | |
parent | 80b72e6f4202ce26facbe51b8739814bca198a2c (diff) | |
download | frameworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.zip frameworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.tar.gz frameworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.tar.bz2 |
Fix preventing from heap overwrite in capture command
There was heap usage error in case of stop of audio framework while
capturePoint was negative. Pointer to reply data was moved but
final silence write was done using original buffer size.
Now silence set is done at the beginning under the condition
that framework has stopped.
Change-Id: I7dab1e922f1813e5fbfd4a64c8b0d15d9465520c
Diffstat (limited to 'media/libeffects/visualizer/EffectVisualizer.cpp')
-rw-r--r-- | media/libeffects/visualizer/EffectVisualizer.cpp | 69 |
1 files changed, 35 insertions, 34 deletions
diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp index 2d66eef..5bdaa03 100644 --- a/media/libeffects/visualizer/EffectVisualizer.cpp +++ b/media/libeffects/visualizer/EffectVisualizer.cpp @@ -544,56 +544,57 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, break; - case VISUALIZER_CMD_CAPTURE: - if (pReplyData == NULL || *replySize != pContext->mCaptureSize) { - ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d pContext->mCaptureSize %d", - *replySize, pContext->mCaptureSize); + case VISUALIZER_CMD_CAPTURE: { + int32_t captureSize = pContext->mCaptureSize; + if (pReplyData == NULL || *replySize != captureSize) { + ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d captureSize %d", + *replySize, captureSize); return -EINVAL; } if (pContext->mState == VISUALIZER_STATE_ACTIVE) { - int32_t latencyMs = pContext->mLatency; const uint32_t deltaMs = Visualizer_getDeltaTimeMsFromUpdatedTime(pContext); - latencyMs -= deltaMs; - if (latencyMs < 0) { - latencyMs = 0; - } - const uint32_t deltaSmpl = pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000; - - int32_t capturePoint = pContext->mCaptureIdx - pContext->mCaptureSize - deltaSmpl; - int32_t captureSize = pContext->mCaptureSize; - if (capturePoint < 0) { - int32_t size = -capturePoint; - if (size > captureSize) { - size = captureSize; - } - memcpy(pReplyData, - pContext->mCaptureBuf + CAPTURE_BUF_SIZE + capturePoint, - size); - pReplyData = (char *)pReplyData + size; - captureSize -= size; - capturePoint = 0; - } - memcpy(pReplyData, - pContext->mCaptureBuf + capturePoint, - captureSize); - // if audio framework has stopped playing audio although the effect is still // active we must clear the capture buffer to return silence if ((pContext->mLastCaptureIdx == pContext->mCaptureIdx) && - (pContext->mBufferUpdateTime.tv_sec != 0)) { - if (deltaMs > MAX_STALL_TIME_MS) { + (pContext->mBufferUpdateTime.tv_sec != 0) && + (deltaMs > MAX_STALL_TIME_MS)) { ALOGV("capture going to idle"); pContext->mBufferUpdateTime.tv_sec = 0; - memset(pReplyData, 0x80, pContext->mCaptureSize); + memset(pReplyData, 0x80, captureSize); + } else { + int32_t latencyMs = pContext->mLatency; + latencyMs -= deltaMs; + if (latencyMs < 0) { + latencyMs = 0; } + const uint32_t deltaSmpl = + pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000; + int32_t capturePoint = pContext->mCaptureIdx - captureSize - deltaSmpl; + + if (capturePoint < 0) { + int32_t size = -capturePoint; + if (size > captureSize) { + size = captureSize; + } + memcpy(pReplyData, + pContext->mCaptureBuf + CAPTURE_BUF_SIZE + capturePoint, + size); + pReplyData = (char *)pReplyData + size; + captureSize -= size; + capturePoint = 0; + } + memcpy(pReplyData, + pContext->mCaptureBuf + capturePoint, + captureSize); } + pContext->mLastCaptureIdx = pContext->mCaptureIdx; } else { - memset(pReplyData, 0x80, pContext->mCaptureSize); + memset(pReplyData, 0x80, captureSize); } - break; + } break; case VISUALIZER_CMD_MEASURE: { uint16_t peakU16 = 0; |