From b9096dc829bd9ffd912f88853a87c972086c8796 Mon Sep 17 00:00:00 2001
From: Eric Laurent <elaurent@google.com>
Date: Mon, 4 May 2015 15:29:36 -0700
Subject: Check memory allocation in ISoundTriggerHwService

Add memory allocation check in ISoundTriggerHwService::listModules().

Bug: 19385640.
Change-Id: Iaf74b6f154c3437e1bfc9da78b773d64b16a7604
---
 soundtrigger/ISoundTriggerHwService.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'soundtrigger')

diff --git a/soundtrigger/ISoundTriggerHwService.cpp b/soundtrigger/ISoundTriggerHwService.cpp
index 75f68b8..e14a771 100644
--- a/soundtrigger/ISoundTriggerHwService.cpp
+++ b/soundtrigger/ISoundTriggerHwService.cpp
@@ -40,6 +40,8 @@ enum {
     SET_CAPTURE_STATE,
 };
 
+#define MAX_ITEMS_PER_LIST 1024
+
 class BpSoundTriggerHwService: public BpInterface<ISoundTriggerHwService>
 {
 public:
@@ -116,10 +118,18 @@ status_t BnSoundTriggerHwService::onTransact(
         case LIST_MODULES: {
             CHECK_INTERFACE(ISoundTriggerHwService, data, reply);
             unsigned int numModulesReq = data.readInt32();
+            if (numModulesReq > MAX_ITEMS_PER_LIST) {
+                numModulesReq = MAX_ITEMS_PER_LIST;
+            }
             unsigned int numModules = numModulesReq;
             struct sound_trigger_module_descriptor *modules =
                     (struct sound_trigger_module_descriptor *)calloc(numModulesReq,
                                                    sizeof(struct sound_trigger_module_descriptor));
+            if (modules == NULL) {
+                reply->writeInt32(NO_MEMORY);
+                reply->writeInt32(0);
+                return NO_ERROR;
+            }
             status_t status = listModules(modules, &numModules);
             reply->writeInt32(status);
             reply->writeInt32(numModules);
-- 
cgit v1.1