summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp5
-rw-r--r--media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp5
-rwxr-xr-xmedia/libstagefright/MPEG4Extractor.cpp10
-rw-r--r--services/camera/libcameraservice/CameraService.cpp10
-rw-r--r--services/camera/libcameraservice/CameraService.h8
-rw-r--r--services/camera/libcameraservice/api1/Camera2Client.cpp4
-rw-r--r--services/camera/libcameraservice/api1/Camera2Client.h2
-rw-r--r--services/camera/libcameraservice/api1/CameraClient.cpp4
-rw-r--r--services/camera/libcameraservice/api1/CameraClient.h4
-rw-r--r--services/camera/libcameraservice/api2/CameraDeviceClient.cpp5
-rw-r--r--services/camera/libcameraservice/api2/CameraDeviceClient.h2
-rw-r--r--services/camera/libcameraservice/common/Camera2ClientBase.cpp2
-rw-r--r--services/camera/libcameraservice/common/Camera2ClientBase.h2
13 files changed, 54 insertions, 9 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index e01c414..f0afd39 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -3104,7 +3104,10 @@ int Effect_command(effect_handle_t self,
//ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");
effect_param_t *p = (effect_param_t *)pCmdData;
-
+ if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+ android_errorWriteLog(0x534e4554, "26347509");
+ return -EINVAL;
+ }
if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
cmdSize < (sizeof(effect_param_t) + p->psize) ||
pReplyData == NULL || replySize == NULL ||
diff --git a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
index a48a4e3..4dc8b45 100644
--- a/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
+++ b/media/libeffects/lvm/wrapper/Reverb/EffectReverb.cpp
@@ -1956,7 +1956,10 @@ int Reverb_command(effect_handle_t self,
//ALOGV("\tReverb_command cmdCode Case: "
// "EFFECT_CMD_GET_PARAM start");
effect_param_t *p = (effect_param_t *)pCmdData;
-
+ if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+ android_errorWriteLog(0x534e4554, "26347509");
+ return -EINVAL;
+ }
if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
cmdSize < (sizeof(effect_param_t) + p->psize) ||
pReplyData == NULL || replySize == NULL ||
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 3baf6b6..c7c238e 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -4575,7 +4575,15 @@ status_t MPEG4Source::fragmentedRead(
continue;
}
- CHECK(dstOffset + 4 <= mBuffer->size());
+ if (dstOffset > SIZE_MAX - 4 ||
+ dstOffset + 4 > SIZE_MAX - nalLength ||
+ dstOffset + 4 + nalLength > mBuffer->size()) {
+ ALOGE("b/26365349 : %zu %zu", dstOffset, mBuffer->size());
+ android_errorWriteLog(0x534e4554, "26365349");
+ mBuffer->release();
+ mBuffer = NULL;
+ return ERROR_MALFORMED;
+ }
dstData[dstOffset++] = 0;
dstData[dstOffset++] = 0;
diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp
index 3deb396..7c4594f 100644
--- a/services/camera/libcameraservice/CameraService.cpp
+++ b/services/camera/libcameraservice/CameraService.cpp
@@ -1944,6 +1944,14 @@ void CameraService::BasicClient::disconnect() {
mClientPid = 0;
}
+status_t CameraService::BasicClient::dump(int, const Vector<String16>&) {
+ // No dumping of clients directly over Binder,
+ // must go through CameraService::dump
+ android_errorWriteWithInfoLog(SN_EVENT_LOG_ID, "26265403",
+ IPCThreadState::self()->getCallingUid(), NULL, 0);
+ return OK;
+}
+
String16 CameraService::BasicClient::getPackageName() const {
return mClientPackageName;
}
@@ -2396,7 +2404,7 @@ status_t CameraService::dump(int fd, const Vector<String16>& args) {
String8(client->getPackageName()).string());
write(fd, result.string(), result.size());
- client->dump(fd, args);
+ client->dumpClient(fd, args);
}
if (stateLocked) mCameraStatesLock.unlock();
diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h
index ce026b9..ee4c3f9 100644
--- a/services/camera/libcameraservice/CameraService.h
+++ b/services/camera/libcameraservice/CameraService.h
@@ -91,6 +91,9 @@ public:
// Default number of messages to store in eviction log
static const size_t DEFAULT_EVENT_LOG_LENGTH = 100;
+ // Event log ID
+ static const int SN_EVENT_LOG_ID = 0x534e4554;
+
// Implementation of BinderService<T>
static char const* getServiceName() { return "media.camera"; }
@@ -205,7 +208,10 @@ public:
return mRemoteBinder;
}
- virtual status_t dump(int fd, const Vector<String16>& args) = 0;
+ // Disallows dumping over binder interface
+ virtual status_t dump(int fd, const Vector<String16>& args);
+ // Internal dump method to be called by CameraService
+ virtual status_t dumpClient(int fd, const Vector<String16>& args) = 0;
// Return the package name for this client
virtual String16 getPackageName() const;
diff --git a/services/camera/libcameraservice/api1/Camera2Client.cpp b/services/camera/libcameraservice/api1/Camera2Client.cpp
index 1821636..96266ed 100644
--- a/services/camera/libcameraservice/api1/Camera2Client.cpp
+++ b/services/camera/libcameraservice/api1/Camera2Client.cpp
@@ -163,6 +163,10 @@ Camera2Client::~Camera2Client() {
}
status_t Camera2Client::dump(int fd, const Vector<String16>& args) {
+ return BasicClient::dump(fd, args);
+}
+
+status_t Camera2Client::dumpClient(int fd, const Vector<String16>& args) {
String8 result;
result.appendFormat("Client2[%d] (%p) PID: %d, dump:\n", mCameraId,
(getRemoteCallback() != NULL ?
diff --git a/services/camera/libcameraservice/api1/Camera2Client.h b/services/camera/libcameraservice/api1/Camera2Client.h
index d50bf63..7e7a284 100644
--- a/services/camera/libcameraservice/api1/Camera2Client.h
+++ b/services/camera/libcameraservice/api1/Camera2Client.h
@@ -100,6 +100,8 @@ public:
virtual status_t dump(int fd, const Vector<String16>& args);
+ virtual status_t dumpClient(int fd, const Vector<String16>& args);
+
/**
* Interface used by CameraDeviceBase
*/
diff --git a/services/camera/libcameraservice/api1/CameraClient.cpp b/services/camera/libcameraservice/api1/CameraClient.cpp
index af0d680..55555fd 100644
--- a/services/camera/libcameraservice/api1/CameraClient.cpp
+++ b/services/camera/libcameraservice/api1/CameraClient.cpp
@@ -111,6 +111,10 @@ CameraClient::~CameraClient() {
}
status_t CameraClient::dump(int fd, const Vector<String16>& args) {
+ return BasicClient::dump(fd, args);
+}
+
+status_t CameraClient::dumpClient(int fd, const Vector<String16>& args) {
const size_t SIZE = 256;
char buffer[SIZE];
diff --git a/services/camera/libcameraservice/api1/CameraClient.h b/services/camera/libcameraservice/api1/CameraClient.h
index 9d2d02f..d2cb64a 100644
--- a/services/camera/libcameraservice/api1/CameraClient.h
+++ b/services/camera/libcameraservice/api1/CameraClient.h
@@ -70,7 +70,9 @@ public:
status_t initialize(CameraModule *module);
- status_t dump(int fd, const Vector<String16>& args);
+ virtual status_t dump(int fd, const Vector<String16>& args);
+
+ virtual status_t dumpClient(int fd, const Vector<String16>& args);
private:
diff --git a/services/camera/libcameraservice/api2/CameraDeviceClient.cpp b/services/camera/libcameraservice/api2/CameraDeviceClient.cpp
index 0c531c3..bd9fea3 100644
--- a/services/camera/libcameraservice/api2/CameraDeviceClient.cpp
+++ b/services/camera/libcameraservice/api2/CameraDeviceClient.cpp
@@ -787,8 +787,11 @@ status_t CameraDeviceClient::tearDown(int streamId) {
return res;
}
-
status_t CameraDeviceClient::dump(int fd, const Vector<String16>& args) {
+ return BasicClient::dump(fd, args);
+}
+
+status_t CameraDeviceClient::dumpClient(int fd, const Vector<String16>& args) {
String8 result;
result.appendFormat("CameraDeviceClient[%d] (%p) dump:\n",
mCameraId,
diff --git a/services/camera/libcameraservice/api2/CameraDeviceClient.h b/services/camera/libcameraservice/api2/CameraDeviceClient.h
index d1e692c..b1d1762 100644
--- a/services/camera/libcameraservice/api2/CameraDeviceClient.h
+++ b/services/camera/libcameraservice/api2/CameraDeviceClient.h
@@ -135,6 +135,8 @@ public:
virtual status_t dump(int fd, const Vector<String16>& args);
+ virtual status_t dumpClient(int fd, const Vector<String16>& args);
+
/**
* Device listener interface
*/
diff --git a/services/camera/libcameraservice/common/Camera2ClientBase.cpp b/services/camera/libcameraservice/common/Camera2ClientBase.cpp
index 5732f80..c7de56a 100644
--- a/services/camera/libcameraservice/common/Camera2ClientBase.cpp
+++ b/services/camera/libcameraservice/common/Camera2ClientBase.cpp
@@ -124,7 +124,7 @@ Camera2ClientBase<TClientBase>::~Camera2ClientBase() {
}
template <typename TClientBase>
-status_t Camera2ClientBase<TClientBase>::dump(int fd,
+status_t Camera2ClientBase<TClientBase>::dumpClient(int fd,
const Vector<String16>& args) {
String8 result;
result.appendFormat("Camera2ClientBase[%d] (%p) PID: %d, dump:\n",
diff --git a/services/camera/libcameraservice/common/Camera2ClientBase.h b/services/camera/libcameraservice/common/Camera2ClientBase.h
index 220c5ad..4568af0 100644
--- a/services/camera/libcameraservice/common/Camera2ClientBase.h
+++ b/services/camera/libcameraservice/common/Camera2ClientBase.h
@@ -57,7 +57,7 @@ public:
virtual ~Camera2ClientBase();
virtual status_t initialize(CameraModule *module);
- virtual status_t dump(int fd, const Vector<String16>& args);
+ virtual status_t dumpClient(int fd, const Vector<String16>& args);
/**
* CameraDeviceBase::NotificationListener implementation
generated by cgit v1.1 at 2024-04-25 12:23:56 +0000