summaryrefslogtreecommitdiffstats
path: root/media/libeffects/visualizer/EffectVisualizer.cpp
diff options
context:
space:
mode:
authorRyszard Grzesica <ryszard.grzesica@sonymobile.com>2014-01-17 11:40:16 +0100
committerTakeshi Aimi <takeshi.aimi@sonymobile.com>2014-02-20 02:01:35 +0900
commitabb7b17613fff41433cda94207eb535c9fed8fba (patch)
tree1ccb9a72843f7b023cbd9b5365fc6c424b672dc7 /media/libeffects/visualizer/EffectVisualizer.cpp
parent80b72e6f4202ce26facbe51b8739814bca198a2c (diff)
downloadframeworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.zip
frameworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.tar.gz
frameworks_av-abb7b17613fff41433cda94207eb535c9fed8fba.tar.bz2
Fix preventing from heap overwrite in capture command
There was heap usage error in case of stop of audio framework while capturePoint was negative. Pointer to reply data was moved but final silence write was done using original buffer size. Now silence set is done at the beginning under the condition that framework has stopped. Change-Id: I7dab1e922f1813e5fbfd4a64c8b0d15d9465520c
Diffstat (limited to 'media/libeffects/visualizer/EffectVisualizer.cpp')
-rw-r--r--media/libeffects/visualizer/EffectVisualizer.cpp69
1 files changed, 35 insertions, 34 deletions
diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp
index 2d66eef..5bdaa03 100644
--- a/media/libeffects/visualizer/EffectVisualizer.cpp
+++ b/media/libeffects/visualizer/EffectVisualizer.cpp
@@ -544,56 +544,57 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
break;
- case VISUALIZER_CMD_CAPTURE:
- if (pReplyData == NULL || *replySize != pContext->mCaptureSize) {
- ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d pContext->mCaptureSize %d",
- *replySize, pContext->mCaptureSize);
+ case VISUALIZER_CMD_CAPTURE: {
+ int32_t captureSize = pContext->mCaptureSize;
+ if (pReplyData == NULL || *replySize != captureSize) {
+ ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d captureSize %d",
+ *replySize, captureSize);
return -EINVAL;
}
if (pContext->mState == VISUALIZER_STATE_ACTIVE) {
- int32_t latencyMs = pContext->mLatency;
const uint32_t deltaMs = Visualizer_getDeltaTimeMsFromUpdatedTime(pContext);
- latencyMs -= deltaMs;
- if (latencyMs < 0) {
- latencyMs = 0;
- }
- const uint32_t deltaSmpl = pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;
-
- int32_t capturePoint = pContext->mCaptureIdx - pContext->mCaptureSize - deltaSmpl;
- int32_t captureSize = pContext->mCaptureSize;
- if (capturePoint < 0) {
- int32_t size = -capturePoint;
- if (size > captureSize) {
- size = captureSize;
- }
- memcpy(pReplyData,
- pContext->mCaptureBuf + CAPTURE_BUF_SIZE + capturePoint,
- size);
- pReplyData = (char *)pReplyData + size;
- captureSize -= size;
- capturePoint = 0;
- }
- memcpy(pReplyData,
- pContext->mCaptureBuf + capturePoint,
- captureSize);
-
// if audio framework has stopped playing audio although the effect is still
// active we must clear the capture buffer to return silence
if ((pContext->mLastCaptureIdx == pContext->mCaptureIdx) &&
- (pContext->mBufferUpdateTime.tv_sec != 0)) {
- if (deltaMs > MAX_STALL_TIME_MS) {
+ (pContext->mBufferUpdateTime.tv_sec != 0) &&
+ (deltaMs > MAX_STALL_TIME_MS)) {
ALOGV("capture going to idle");
pContext->mBufferUpdateTime.tv_sec = 0;
- memset(pReplyData, 0x80, pContext->mCaptureSize);
+ memset(pReplyData, 0x80, captureSize);
+ } else {
+ int32_t latencyMs = pContext->mLatency;
+ latencyMs -= deltaMs;
+ if (latencyMs < 0) {
+ latencyMs = 0;
}
+ const uint32_t deltaSmpl =
+ pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;
+ int32_t capturePoint = pContext->mCaptureIdx - captureSize - deltaSmpl;
+
+ if (capturePoint < 0) {
+ int32_t size = -capturePoint;
+ if (size > captureSize) {
+ size = captureSize;
+ }
+ memcpy(pReplyData,
+ pContext->mCaptureBuf + CAPTURE_BUF_SIZE + capturePoint,
+ size);
+ pReplyData = (char *)pReplyData + size;
+ captureSize -= size;
+ capturePoint = 0;
+ }
+ memcpy(pReplyData,
+ pContext->mCaptureBuf + capturePoint,
+ captureSize);
}
+
pContext->mLastCaptureIdx = pContext->mCaptureIdx;
} else {
- memset(pReplyData, 0x80, pContext->mCaptureSize);
+ memset(pReplyData, 0x80, captureSize);
}
- break;
+ } break;
case VISUALIZER_CMD_MEASURE: {
uint16_t peakU16 = 0;