From e67a2babcccf11e5209afc39d368eb79b1d35c21 Mon Sep 17 00:00:00 2001 From: Roman Birg Date: Tue, 3 May 2016 11:54:28 -0700 Subject: soundtrigger: fill in default extras from dsp We seem to get an improper offset when getting the value from the DSP (offset 100, data size 1), when this happens, return a new phrase event with valid extras which are initialized to some default values. Change-Id: Ie041f78fec6bdbcd82286b54a7b7fb0c98c740f5 Signed-off-by: Roman Birg --- services/soundtrigger/SoundTriggerHwService.cpp | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'services/soundtrigger/SoundTriggerHwService.cpp') diff --git a/services/soundtrigger/SoundTriggerHwService.cpp b/services/soundtrigger/SoundTriggerHwService.cpp index 9de6fe2..371c81a 100644 --- a/services/soundtrigger/SoundTriggerHwService.cpp +++ b/services/soundtrigger/SoundTriggerHwService.cpp @@ -270,6 +270,37 @@ void SoundTriggerHwService::sendRecognitionEvent(struct sound_trigger_recognitio if (module == NULL) { return; } + if (event-> type == SOUND_MODEL_TYPE_KEYPHRASE && event->data_size != 0 + && event->data_offset != sizeof(struct sound_trigger_phrase_recognition_event)) { + // set some defaults for the phrase if the recognition event won't be parsed properly + // TODO: read defaults from the config + + struct sound_trigger_phrase_recognition_event newEvent; + memset(&newEvent, 0, sizeof(struct sound_trigger_phrase_recognition_event)); + + sp model = module->getModel(event->model); + + newEvent.num_phrases = 1; + newEvent.phrase_extras[0].id = 100; + newEvent.phrase_extras[0].recognition_modes = RECOGNITION_MODE_VOICE_TRIGGER; + newEvent.phrase_extras[0].confidence_level = 100; + newEvent.phrase_extras[0].num_levels = 1; + newEvent.phrase_extras[0].levels[0].level = 100; + newEvent.phrase_extras[0].levels[0].user_id = 100; + newEvent.common.status = event->status; + newEvent.common.type = event->type; + newEvent.common.model = event->model; + newEvent.common.capture_available = event->capture_available; + newEvent.common.capture_session = event->capture_session; + newEvent.common.capture_delay_ms = event->capture_delay_ms; + newEvent.common.capture_preamble_ms = event->capture_preamble_ms; + newEvent.common.trigger_in_data = event->trigger_in_data; + newEvent.common.audio_config = event->audio_config; + newEvent.common.data_size = event->data_size; + newEvent.common.data_offset = sizeof(struct sound_trigger_phrase_recognition_event); + + event = &newEvent.common; + } sp eventMemory = prepareRecognitionEvent_l(event); if (eventMemory == 0) { return; -- cgit v1.1 From b6af3b9bc072c4d832db9dc93ff818472cd50069 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Wed, 17 Aug 2016 06:19:32 -0700 Subject: soundtrigger: add size check on sound model and recogntion data Bug: 30148546 Change-Id: I082f535a853c96571887eeea37c6d41ecee7d8c0 (cherry picked from commit bb00d8f139ff51336ab3c810d35685003949bcf8) (cherry picked from commit ef0c91518446e65533ca8bab6726a845f27c73fd) --- services/soundtrigger/SoundTriggerHwService.cpp | 38 +++++++++++++++++++------ 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'services/soundtrigger/SoundTriggerHwService.cpp') diff --git a/services/soundtrigger/SoundTriggerHwService.cpp b/services/soundtrigger/SoundTriggerHwService.cpp index 9de6fe2..e428388 100644 --- a/services/soundtrigger/SoundTriggerHwService.cpp +++ b/services/soundtrigger/SoundTriggerHwService.cpp @@ -534,6 +534,22 @@ status_t SoundTriggerHwService::Module::loadSoundModel(const sp& modelM struct sound_trigger_sound_model *sound_model = (struct sound_trigger_sound_model *)modelMemory->pointer(); + size_t structSize; + if (sound_model->type == SOUND_MODEL_TYPE_KEYPHRASE) { + structSize = sizeof(struct sound_trigger_phrase_sound_model); + } else { + structSize = sizeof(struct sound_trigger_sound_model); + } + + if (sound_model->data_offset < structSize || + sound_model->data_size > (UINT_MAX - sound_model->data_offset) || + modelMemory->size() < sound_model->data_offset || + sound_model->data_size > (modelMemory->size() - sound_model->data_offset)) { + android_errorWriteLog(0x534e4554, "30148546"); + ALOGE("loadSoundModel() data_size is too big"); + return BAD_VALUE; + } + AutoMutex lock(mLock); if (mModels.size() >= mDescriptor.properties.max_sound_models) { @@ -603,11 +619,23 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha return PERMISSION_DENIED; } - if (dataMemory != 0 && dataMemory->pointer() == NULL) { - ALOGE("startRecognition() dataMemory is non-0 but has NULL pointer()"); + if (dataMemory == 0 || dataMemory->pointer() == NULL) { + ALOGE("startRecognition() dataMemory is 0 or has NULL pointer()"); return BAD_VALUE; } + + struct sound_trigger_recognition_config *config = + (struct sound_trigger_recognition_config *)dataMemory->pointer(); + + if (config->data_offset < sizeof(struct sound_trigger_recognition_config) || + config->data_size > (UINT_MAX - config->data_offset) || + dataMemory->size() < config->data_offset || + config->data_size > (dataMemory->size() - config->data_offset)) { + ALOGE("startRecognition() data_size is too big"); + return BAD_VALUE; + } + AutoMutex lock(mLock); if (mServiceState == SOUND_TRIGGER_STATE_DISABLED) { return INVALID_OPERATION; @@ -616,17 +644,11 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha if (model == 0) { return BAD_VALUE; } - if ((dataMemory == 0) || - (dataMemory->size() < sizeof(struct sound_trigger_recognition_config))) { - return BAD_VALUE; - } if (model->mState == Model::STATE_ACTIVE) { return INVALID_OPERATION; } - struct sound_trigger_recognition_config *config = - (struct sound_trigger_recognition_config *)dataMemory->pointer(); //TODO: get capture handle and device from audio policy service config->capture_handle = model->mCaptureIOHandle; -- cgit v1.1