diff options
author | Eric Laurent <elaurent@google.com> | 2015-03-25 22:00:47 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-03-25 22:00:47 +0000 |
commit | 82fd850ece75f53110d5c04b49646e5035b8cd24 (patch) | |
tree | 3c0c55403f74bd87955e1570faf33a4b52a91ff4 /media | |
parent | f1300d31fe80c8e14cf2bbca6c7b6768110cd5ba (diff) | |
parent | 414af268fbc23e877680e084aeb64a4bed79c0a6 (diff) | |
download | frameworks_av-82fd850ece75f53110d5c04b49646e5035b8cd24.zip frameworks_av-82fd850ece75f53110d5c04b49646e5035b8cd24.tar.gz frameworks_av-82fd850ece75f53110d5c04b49646e5035b8cd24.tar.bz2 |
am 414af268: am c42c4b52: am 424324b3: am 2fdd16b3: DO NOT MERGE - audio policy service: fix possible memory overflow
* commit '414af268fbc23e877680e084aeb64a4bed79c0a6':
DO NOT MERGE - audio policy service: fix possible memory overflow
Diffstat (limited to 'media')
-rw-r--r-- | media/libmedia/IAudioPolicyService.cpp | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp index dbc7a9e..cfb28a9 100644 --- a/media/libmedia/IAudioPolicyService.cpp +++ b/media/libmedia/IAudioPolicyService.cpp @@ -73,6 +73,8 @@ enum { REGISTER_POLICY_MIXES, }; +#define MAX_ITEMS_PER_LIST 1024 + class BpAudioPolicyService : public BpInterface<IAudioPolicyService> { public: @@ -1054,10 +1056,18 @@ status_t BnAudioPolicyService::onTransact( audio_port_role_t role = (audio_port_role_t)data.readInt32(); audio_port_type_t type = (audio_port_type_t)data.readInt32(); unsigned int numPortsReq = data.readInt32(); + if (numPortsReq > MAX_ITEMS_PER_LIST) { + numPortsReq = MAX_ITEMS_PER_LIST; + } unsigned int numPorts = numPortsReq; - unsigned int generation; struct audio_port *ports = (struct audio_port *)calloc(numPortsReq, sizeof(struct audio_port)); + if (ports == NULL) { + reply->writeInt32(NO_MEMORY); + reply->writeInt32(0); + return NO_ERROR; + } + unsigned int generation; status_t status = listAudioPorts(role, type, &numPorts, ports, &generation); reply->writeInt32(status); reply->writeInt32(numPorts); @@ -1111,11 +1121,19 @@ status_t BnAudioPolicyService::onTransact( case LIST_AUDIO_PATCHES: { CHECK_INTERFACE(IAudioPolicyService, data, reply); unsigned int numPatchesReq = data.readInt32(); + if (numPatchesReq > MAX_ITEMS_PER_LIST) { + numPatchesReq = MAX_ITEMS_PER_LIST; + } unsigned int numPatches = numPatchesReq; - unsigned int generation; struct audio_patch *patches = (struct audio_patch *)calloc(numPatchesReq, sizeof(struct audio_patch)); + if (patches == NULL) { + reply->writeInt32(NO_MEMORY); + reply->writeInt32(0); + return NO_ERROR; + } + unsigned int generation; status_t status = listAudioPatches(&numPatches, patches, &generation); reply->writeInt32(status); reply->writeInt32(numPatches); |