From 5841db78dff14898538200287d246577b1fc37e2 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Wed, 9 Sep 2009 05:16:08 -0700 Subject: Fix issue 2107584: media server crash when AudioFlinger fails to allocate memory for track control block. AudioFlinger: verify that mCblk is not null before using it in Track and RecordTrack contructors. IAudioFlinger: check result of remote transaction before reading IAudioTrack and IAudioRecord. IAudioTrack and IAudioRecord: check result of remote transaction before reading IMemory. --- media/libmedia/IAudioFlinger.cpp | 19 ++++++++++++++----- media/libmedia/IAudioRecord.cpp | 8 ++++++-- media/libmedia/IAudioTrack.cpp | 8 ++++++-- 3 files changed, 26 insertions(+), 9 deletions(-) (limited to 'media') diff --git a/media/libmedia/IAudioFlinger.cpp b/media/libmedia/IAudioFlinger.cpp index fc39a46..5089157 100644 --- a/media/libmedia/IAudioFlinger.cpp +++ b/media/libmedia/IAudioFlinger.cpp @@ -83,6 +83,7 @@ public: status_t *status) { Parcel data, reply; + sp track; data.writeInterfaceToken(IAudioFlinger::getInterfaceDescriptor()); data.writeInt32(pid); data.writeInt32(streamType); @@ -96,12 +97,14 @@ public: status_t lStatus = remote()->transact(CREATE_TRACK, data, &reply); if (lStatus != NO_ERROR) { LOGE("createTrack error: %s", strerror(-lStatus)); + } else { + lStatus = reply.readInt32(); + track = interface_cast(reply.readStrongBinder()); } - lStatus = reply.readInt32(); if (status) { *status = lStatus; } - return interface_cast(reply.readStrongBinder()); + return track; } virtual sp openRecord( @@ -115,6 +118,7 @@ public: status_t *status) { Parcel data, reply; + sp record; data.writeInterfaceToken(IAudioFlinger::getInterfaceDescriptor()); data.writeInt32(pid); data.writeInt32(input); @@ -123,12 +127,17 @@ public: data.writeInt32(channelCount); data.writeInt32(frameCount); data.writeInt32(flags); - remote()->transact(OPEN_RECORD, data, &reply); - status_t lStatus = reply.readInt32(); + status_t lStatus = remote()->transact(OPEN_RECORD, data, &reply); + if (lStatus != NO_ERROR) { + LOGE("openRecord error: %s", strerror(-lStatus)); + } else { + lStatus = reply.readInt32(); + record = interface_cast(reply.readStrongBinder()); + } if (status) { *status = lStatus; } - return interface_cast(reply.readStrongBinder()); + return record; } virtual uint32_t sampleRate(int output) const diff --git a/media/libmedia/IAudioRecord.cpp b/media/libmedia/IAudioRecord.cpp index 8fb5d3d..dacf75a 100644 --- a/media/libmedia/IAudioRecord.cpp +++ b/media/libmedia/IAudioRecord.cpp @@ -56,9 +56,13 @@ public: virtual sp getCblk() const { Parcel data, reply; + sp cblk; data.writeInterfaceToken(IAudioRecord::getInterfaceDescriptor()); - remote()->transact(GET_CBLK, data, &reply); - return interface_cast(reply.readStrongBinder()); + status_t status = remote()->transact(GET_CBLK, data, &reply); + if (status == NO_ERROR) { + cblk = interface_cast(reply.readStrongBinder()); + } + return cblk; } }; diff --git a/media/libmedia/IAudioTrack.cpp b/media/libmedia/IAudioTrack.cpp index 75b861b..7f43347 100644 --- a/media/libmedia/IAudioTrack.cpp +++ b/media/libmedia/IAudioTrack.cpp @@ -81,9 +81,13 @@ public: virtual sp getCblk() const { Parcel data, reply; + sp cblk; data.writeInterfaceToken(IAudioTrack::getInterfaceDescriptor()); - remote()->transact(GET_CBLK, data, &reply); - return interface_cast(reply.readStrongBinder()); + status_t status = remote()->transact(GET_CBLK, data, &reply); + if (status == NO_ERROR) { + cblk = interface_cast(reply.readStrongBinder()); + } + return cblk; } }; -- cgit v1.1