From 2fdd16b3cbe1c1e53d1c4b305f4c0174b995ad1a Mon Sep 17 00:00:00 2001
From: Eric Laurent <elaurent@google.com>
Date: Fri, 6 Feb 2015 10:44:24 -0800
Subject: DO NOT MERGE - audio policy service: fix possible memory overflow

Add limit on number of audio ports and patches requested by
listaudioPorts() and listAudioPatches().

Bug: 19261727.
Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580
(cherry picked from commit 1d670b11313250442455a22f1056ad649d607fb2)
---
 media/libmedia/IAudioPolicyService.cpp | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'media')

diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp
index 180f5fb..fc4a787 100644
--- a/media/libmedia/IAudioPolicyService.cpp
+++ b/media/libmedia/IAudioPolicyService.cpp
@@ -72,6 +72,8 @@ enum {
     GET_PHONE_STATE
 };
 
+#define MAX_ITEMS_PER_LIST 1024
+
 class BpAudioPolicyService : public BpInterface<IAudioPolicyService>
 {
 public:
@@ -952,10 +954,18 @@ status_t BnAudioPolicyService::onTransact(
             audio_port_role_t role = (audio_port_role_t)data.readInt32();
             audio_port_type_t type = (audio_port_type_t)data.readInt32();
             unsigned int numPortsReq = data.readInt32();
+            if (numPortsReq > MAX_ITEMS_PER_LIST) {
+                numPortsReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPorts = numPortsReq;
-            unsigned int generation;
             struct audio_port *ports =
                     (struct audio_port *)calloc(numPortsReq, sizeof(struct audio_port));
+            if (ports == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPorts(role, type, &numPorts, ports, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPorts);
@@ -1009,11 +1019,19 @@ status_t BnAudioPolicyService::onTransact(
         case LIST_AUDIO_PATCHES: {
             CHECK_INTERFACE(IAudioPolicyService, data, reply);
             unsigned int numPatchesReq = data.readInt32();
+            if (numPatchesReq > MAX_ITEMS_PER_LIST) {
+                numPatchesReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numPatches = numPatchesReq;
-            unsigned int generation;
             struct audio_patch *patches =
                     (struct audio_patch *)calloc(numPatchesReq,
                                                  sizeof(struct audio_patch));
+            if (patches == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
+            unsigned int generation;
             status_t status = listAudioPatches(&numPatches, patches, &generation);
             reply->writeInt32(status);
             reply->writeInt32(numPatches);
-- 
cgit v1.1