From 4d0485d7daead3a28cac12c2e2cea25c2ade654d Mon Sep 17 00:00:00 2001 From: SathishKumar Mani Date: Fri, 25 Sep 2015 18:17:46 -0700 Subject: Stagefright: Add Checks for allocations Warn allocation failures explicitly rather than crash trying to access unallocated memory Change-Id: Ie86c3ac130917e1f4030eb8207ac8350cba7711d --- media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 3 +++ media/libmedia/ICrypto.cpp | 2 ++ media/libmedia/IEffectClient.cpp | 4 ++++ media/libmedia/MediaScanner.cpp | 4 ++++ media/libmediaplayerservice/MediaPlayerService.cpp | 1 + media/libstagefright/MPEG4Extractor.cpp | 1 + media/libstagefright/MPEG4Writer.cpp | 5 +++++ media/libstagefright/MediaBuffer.cpp | 1 + media/libstagefright/OggExtractor.cpp | 1 + media/libstagefright/foundation/ABuffer.cpp | 10 +++------- services/audioflinger/AudioFlinger.cpp | 1 + services/audioflinger/BufferProviders.cpp | 2 ++ services/audioflinger/Tracks.cpp | 2 ++ services/audiopolicy/service/AudioPolicyEffects.cpp | 1 + services/audiopolicy/service/AudioPolicyEffects.h | 3 +++ 15 files changed, 34 insertions(+), 7 deletions(-) diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index ad7ca4a..e01c414 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -29,6 +29,7 @@ #include "EffectBundle.h" #include "math.h" +#include // effect_handle_t interface implementation for bass boost extern "C" const struct effect_interface_s gLvmEffectInterface; @@ -563,6 +564,7 @@ int LvmBundle_init(EffectContext *pContext){ for (int i=0; ipBundledContext->workBuffer = (LVM_INT16 *)malloc(frameCount * sizeof(LVM_INT16) * 2); + CHECK(pContext->pBundledContext->workBuffer != NULL); pContext->pBundledContext->frameCount = frameCount; } pOutTmp = pContext->pBundledContext->workBuffer; diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp index 947294f..9f65bde 100644 --- a/media/libmedia/ICrypto.cpp +++ b/media/libmedia/ICrypto.cpp @@ -235,6 +235,7 @@ status_t BnCrypto::onTransact( if (opaqueSize > 0) { opaqueData = malloc(opaqueSize); + CHECK(opaqueData != NULL); data.read(opaqueData, opaqueSize); } @@ -298,6 +299,7 @@ status_t BnCrypto::onTransact( secureBufferId = reinterpret_cast(static_cast(data.readInt64())); } else { dstPtr = malloc(totalSize); + CHECK(dstPtr != NULL); } AString errorDetailMsg; diff --git a/media/libmedia/IEffectClient.cpp b/media/libmedia/IEffectClient.cpp index 1322e72..531f767 100644 --- a/media/libmedia/IEffectClient.cpp +++ b/media/libmedia/IEffectClient.cpp @@ -22,6 +22,8 @@ #include #include +#include + namespace android { enum { @@ -117,12 +119,14 @@ status_t BnEffectClient::onTransact( char *cmd = NULL; if (cmdSize) { cmd = (char *)malloc(cmdSize); + CHECK(cmd != NULL); data.read(cmd, cmdSize); } uint32_t replySize = data.readInt32(); char *resp = NULL; if (replySize) { resp = (char *)malloc(replySize); + CHECK(resp != NULL); data.read(resp, replySize); } commandExecuted(cmdCode, cmdSize, cmd, replySize, resp); diff --git a/media/libmedia/MediaScanner.cpp b/media/libmedia/MediaScanner.cpp index dcbb769..dac0a9e 100644 --- a/media/libmedia/MediaScanner.cpp +++ b/media/libmedia/MediaScanner.cpp @@ -24,6 +24,8 @@ #include #include +#include + namespace android { MediaScanner::MediaScanner() @@ -240,6 +242,7 @@ MediaScanResult MediaScanner::doProcessDirectoryEntry( MediaAlbumArt *MediaAlbumArt::clone() { size_t byte_size = this->size() + sizeof(MediaAlbumArt); MediaAlbumArt *result = reinterpret_cast(malloc(byte_size)); + CHECK(result != NULL); result->mSize = this->size(); memcpy(&result->mData[0], &this->mData[0], this->size()); return result; @@ -253,6 +256,7 @@ void MediaAlbumArt::init(MediaAlbumArt *instance, int32_t dataSize, const void * MediaAlbumArt *MediaAlbumArt::fromData(int32_t dataSize, const void* data) { size_t byte_size = sizeof(MediaAlbumArt) + dataSize; MediaAlbumArt *result = reinterpret_cast(malloc(byte_size)); + CHECK(result != NULL); init(result, dataSize, data); return result; } diff --git a/media/libmediaplayerservice/MediaPlayerService.cpp b/media/libmediaplayerservice/MediaPlayerService.cpp index 0ce0c3f..6e104a4 100644 --- a/media/libmediaplayerservice/MediaPlayerService.cpp +++ b/media/libmediaplayerservice/MediaPlayerService.cpp @@ -2128,6 +2128,7 @@ bool CallbackThread::threadLoop() { if (mBuffer == NULL) { mBufferSize = sink->bufferSize(); mBuffer = malloc(mBufferSize); + CHECK(mBuffer != NULL); } size_t actualSize = diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 84e07b5..cd50365 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -535,6 +535,7 @@ status_t MPEG4Extractor::readMetaData() { } if (psshsize > 0 && psshsize <= UINT32_MAX) { char *buf = (char*)malloc(psshsize); + CHECK(buf != NULL); char *ptr = buf; for (size_t i = 0; i < mPssh.size(); i++) { memcpy(ptr, mPssh[i].uuid, 20); // uuid + length diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp index 7dfac76..8af2615 100644 --- a/media/libstagefright/MPEG4Writer.cpp +++ b/media/libstagefright/MPEG4Writer.cpp @@ -1566,6 +1566,7 @@ void MPEG4Writer::Track::getCodecSpecificDataFromInputFormatIfPossible() { size_t size; if (mMeta->findData(kKeyAVCC, &type, &data, &size)) { mCodecSpecificData = malloc(size); + CHECK(mCodecSpecificData != NULL); mCodecSpecificDataSize = size; memcpy(mCodecSpecificData, data, size); mGotAllCodecSpecificData = true; @@ -1579,6 +1580,7 @@ void MPEG4Writer::Track::getCodecSpecificDataFromInputFormatIfPossible() { ESDS esds(data, size); if (esds.getCodecSpecificInfo(&data, &size) == OK) { mCodecSpecificData = malloc(size); + CHECK(mCodecSpecificData != NULL); mCodecSpecificDataSize = size; memcpy(mCodecSpecificData, data, size); mGotAllCodecSpecificData = true; @@ -1979,6 +1981,7 @@ status_t MPEG4Writer::Track::copyAVCCodecSpecificData( mCodecSpecificDataSize = size; mCodecSpecificData = malloc(size); + CHECK(mCodecSpecificData != NULL); memcpy(mCodecSpecificData, data, size); return OK; } @@ -2101,6 +2104,7 @@ status_t MPEG4Writer::Track::makeAVCCodecSpecificData( // ISO 14496-15: AVC file format mCodecSpecificDataSize += 7; // 7 more bytes in the header mCodecSpecificData = malloc(mCodecSpecificDataSize); + CHECK(mCodecSpecificData != NULL); uint8_t *header = (uint8_t *)mCodecSpecificData; header[0] = 1; // version header[1] = mProfileIdc; // profile indication @@ -2235,6 +2239,7 @@ status_t MPEG4Writer::Track::threadEntry() { } else if (mIsMPEG4) { mCodecSpecificDataSize = buffer->range_length(); mCodecSpecificData = malloc(mCodecSpecificDataSize); + CHECK(mCodecSpecificData != NULL); memcpy(mCodecSpecificData, (const uint8_t *)buffer->data() + buffer->range_offset(), diff --git a/media/libstagefright/MediaBuffer.cpp b/media/libstagefright/MediaBuffer.cpp index 1f80a47..525a156 100644 --- a/media/libstagefright/MediaBuffer.cpp +++ b/media/libstagefright/MediaBuffer.cpp @@ -54,6 +54,7 @@ MediaBuffer::MediaBuffer(size_t size) mOwnsData(true), mMetaData(new MetaData), mOriginal(NULL) { + CHECK(mData != NULL); } MediaBuffer::MediaBuffer(const sp& graphicBuffer) diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp index 6fba8e1..c438d3c 100644 --- a/media/libstagefright/OggExtractor.cpp +++ b/media/libstagefright/OggExtractor.cpp @@ -1225,6 +1225,7 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { *outSize = outLen; void *buffer = malloc(outLen); + CHECK(buffer != NULL); uint8_t *out = (uint8_t *)buffer; size_t j = 0; diff --git a/media/libstagefright/foundation/ABuffer.cpp b/media/libstagefright/foundation/ABuffer.cpp index a5b81a8..3ebbbd9 100644 --- a/media/libstagefright/foundation/ABuffer.cpp +++ b/media/libstagefright/foundation/ABuffer.cpp @@ -29,13 +29,9 @@ ABuffer::ABuffer(size_t capacity) mInt32Data(0), mOwnsData(true) { mData = malloc(capacity); - if (mData == NULL) { - mCapacity = 0; - mRangeLength = 0; - } else { - mCapacity = capacity; - mRangeLength = capacity; - } + CHECK(mData != NULL); + mCapacity = capacity; + mRangeLength = capacity; } ABuffer::ABuffer(void *data, size_t capacity) diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp index 5089bd3..c7f863b 100644 --- a/services/audioflinger/AudioFlinger.cpp +++ b/services/audioflinger/AudioFlinger.cpp @@ -2986,6 +2986,7 @@ void AudioFlinger::dumpTee(int fd, const sp& source, audio_io_hand bool firstRead = true; #define TEE_SINK_READ 1024 // frames per I/O operation void *buffer = malloc(TEE_SINK_READ * frameSize); + CHECK (buffer != NULL); for (;;) { size_t count = TEE_SINK_READ; ssize_t actual = teeSource->read(buffer, count, diff --git a/services/audioflinger/BufferProviders.cpp b/services/audioflinger/BufferProviders.cpp index a8be206..434a514 100644 --- a/services/audioflinger/BufferProviders.cpp +++ b/services/audioflinger/BufferProviders.cpp @@ -24,6 +24,7 @@ #include #include +#include #include "Configuration.h" #include "BufferProviders.h" @@ -205,6 +206,7 @@ DownmixerBufferProvider::DownmixerBufferProvider( const int downmixParamSize = sizeof(effect_param_t) + psizePadded + sizeof(downmix_type_t); effect_param_t * const param = (effect_param_t *) malloc(downmixParamSize); + CHECK(param != NULL); param->psize = sizeof(downmix_params_t); const downmix_params_t downmixParam = DOWNMIX_PARAM_TYPE; memcpy(param->data, &downmixParam, param->psize); diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp index f7da209..a45a6f8 100644 --- a/services/audioflinger/Tracks.cpp +++ b/services/audioflinger/Tracks.cpp @@ -24,6 +24,7 @@ #include #include #include +#include #include @@ -1771,6 +1772,7 @@ bool AudioFlinger::PlaybackThread::OutputTrack::write(void* data, uint32_t frame if (mBufferQueue.size() < kMaxOverFlowBuffers) { pInBuffer = new Buffer; pInBuffer->mBuffer = malloc(inBuffer.frameCount * mFrameSize); + CHECK(pInBuffer->mBuffer != NULL); pInBuffer->frameCount = inBuffer.frameCount; pInBuffer->raw = pInBuffer->mBuffer; memcpy(pInBuffer->raw, inBuffer.raw, inBuffer.frameCount * mFrameSize); diff --git a/services/audiopolicy/service/AudioPolicyEffects.cpp b/services/audiopolicy/service/AudioPolicyEffects.cpp index 282ddeb..e71d7a5 100644 --- a/services/audiopolicy/service/AudioPolicyEffects.cpp +++ b/services/audiopolicy/service/AudioPolicyEffects.cpp @@ -442,6 +442,7 @@ effect_param_t *AudioPolicyEffects::loadEffectParameter(cnode *root) size_t curSize = sizeof(effect_param_t); size_t totSize = sizeof(effect_param_t) + 2 * sizeof(int); effect_param_t *fx_param = (effect_param_t *)malloc(totSize); + CHECK(fx_param != NULL); param = config_find(root, PARAM_TAG); value = config_find(root, VALUE_TAG); diff --git a/services/audiopolicy/service/AudioPolicyEffects.h b/services/audiopolicy/service/AudioPolicyEffects.h index 3dec437..3845050 100644 --- a/services/audiopolicy/service/AudioPolicyEffects.h +++ b/services/audiopolicy/service/AudioPolicyEffects.h @@ -27,6 +27,8 @@ #include #include +#include + namespace android { // ---------------------------------------------------------------------------- @@ -102,6 +104,7 @@ private: ((origParam->psize + 3) & ~3) + ((origParam->vsize + 3) & ~3); effect_param_t *dupParam = (effect_param_t *) malloc(origSize); + CHECK(dupParam != NULL); memcpy(dupParam, origParam, origSize); // This works because the param buffer allocation is also done by // multiples of 4 bytes originally. In theory we should memcpy only -- cgit v1.1