DO NOT MERGE - audio policy service: fix possible memory overflow

Add limit on number of audio ports and patches requested by listaudioPorts() and listAudioPatches(). Bug: 19261727. Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580 (cherry picked from commit 1d670b11313250442455a22f1056ad649d607fb2)
author: Eric Laurent <elaurent@google.com> 2015-02-06 10:44:24 -0800
committer: Eric Laurent <elaurent@google.com> 2015-03-25 18:55:09 +0000
commit: 2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a (patch)
tree: 24e2230b0bd1fb18c7b37effe1af168757326959 /media
parent: 8e2b445fabd05132de57226de71c7860a5391954 (diff)
download: frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.zip
frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.tar.gz
frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.tar.bz2
1 files changed, 20 insertions, 2 deletions
diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp
index 180f5fb..fc4a787 100644
--- a/media/libmedia/IAudioPolicyService.cpp
+++ b/media/libmedia/IAudioPolicyService.cpp
@@ -72,6 +72,8 @@ enum {
     GET_PHONE_STATE
 };
 
+#define MAX_ITEMS_PER_LIST 1024
+
 class BpAudioPolicyService : public BpInterface<IAudioPolicyService>
 {
 public:
@@ -952,10 +954,18 @@ status_t BnAudioPolicyService::onTransact(
             audio_port_role_t role = (audio_port_role_t)data.readInt32();
             audio_port_type_t type = (audio_port_type_t)data.readInt32();
             unsigned int numPortsReq = data.readInt32();
+            if (numPortsReq > MAX_ITEMS_PER_LIST) {
+                numPortsReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPorts = numPortsReq;
-            unsigned int generation;
             struct audio_port *ports =
                     (struct audio_port *)calloc(numPortsReq, sizeof(struct audio_port));
+            if (ports == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPorts(role, type, &numPorts, ports, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPorts);
@@ -1009,11 +1019,19 @@ status_t BnAudioPolicyService::onTransact(
         case LIST_AUDIO_PATCHES: {
             CHECK_INTERFACE(IAudioPolicyService, data, reply);
             unsigned int numPatchesReq = data.readInt32();
+            if (numPatchesReq > MAX_ITEMS_PER_LIST) {
+                numPatchesReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPatches = numPatchesReq;
-            unsigned int generation;
             struct audio_patch *patches =
                     (struct audio_patch *)calloc(numPatchesReq,
                                                  sizeof(struct audio_patch));
+            if (patches == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPatches(&numPatches, patches, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPatches);
author	Eric Laurent <elaurent@google.com>	2015-02-06 10:44:24 -0800
committer	Eric Laurent <elaurent@google.com>	2015-03-25 18:55:09 +0000
commit	2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a (patch)
tree	24e2230b0bd1fb18c7b37effe1af168757326959 /media
parent	8e2b445fabd05132de57226de71c7860a5391954 (diff)
download	frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.zip frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.tar.gz frameworks_av-2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a.tar.bz2