From 6ad8c64ce9ac6fff7a3f2510cd948f3457842510 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Wed, 9 Sep 2009 05:16:08 -0700 Subject: Fix issue 2107584: media server crash when AudioFlinger fails to allocate memory for track control block. AudioFlinger: verify that mCblk is not null before using it in Track and RecordTrack contructors. IAudioFlinger: check result of remote transaction before reading IAudioTrack and IAudioRecord. IAudioTrack and IAudioRecord: check result of remote transaction before reading IMemory. --- libs/audioflinger/AudioFlinger.cpp | 49 +++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/libs/audioflinger/AudioFlinger.cpp b/libs/audioflinger/AudioFlinger.cpp index e2b6b51..790a655 100644 --- a/libs/audioflinger/AudioFlinger.cpp +++ b/libs/audioflinger/AudioFlinger.cpp @@ -2014,6 +2014,7 @@ AudioFlinger::ThreadBase::TrackBase::TrackBase( : RefBase(), mThread(thread), mClient(client), + mCblk(0), mFrameCount(0), mState(IDLE), mClientTid(-1), @@ -2162,21 +2163,23 @@ AudioFlinger::PlaybackThread::Track::Track( : TrackBase(thread, client, sampleRate, format, channelCount, frameCount, 0, sharedBuffer), mMute(false), mSharedBuffer(sharedBuffer), mName(-1) { - sp baseThread = thread.promote(); - if (baseThread != 0) { - PlaybackThread *playbackThread = (PlaybackThread *)baseThread.get(); - mName = playbackThread->getTrackName_l(); - } - LOGV("Track constructor name %d, calling thread %d", mName, IPCThreadState::self()->getCallingPid()); - if (mName < 0) { - LOGE("no more track names available"); + if (mCblk != NULL) { + sp baseThread = thread.promote(); + if (baseThread != 0) { + PlaybackThread *playbackThread = (PlaybackThread *)baseThread.get(); + mName = playbackThread->getTrackName_l(); + } + LOGV("Track constructor name %d, calling thread %d", mName, IPCThreadState::self()->getCallingPid()); + if (mName < 0) { + LOGE("no more track names available"); + } + mVolume[0] = 1.0f; + mVolume[1] = 1.0f; + mStreamType = streamType; + // NOTE: audio_track_cblk_t::frameSize for 8 bit PCM data is based on a sample size of + // 16 bit because data is converted to 16 bit before being stored in buffer by AudioTrack + mCblk->frameSize = AudioSystem::isLinearPCM(format) ? channelCount * sizeof(int16_t) : sizeof(int8_t); } - mVolume[0] = 1.0f; - mVolume[1] = 1.0f; - mStreamType = streamType; - // NOTE: audio_track_cblk_t::frameSize for 8 bit PCM data is based on a sample size of - // 16 bit because data is converted to 16 bit before being stored in buffer by AudioTrack - mCblk->frameSize = AudioSystem::isLinearPCM(format) ? channelCount * sizeof(int16_t) : sizeof(int8_t); } AudioFlinger::PlaybackThread::Track::~Track() @@ -2390,14 +2393,16 @@ AudioFlinger::RecordThread::RecordTrack::RecordTrack( channelCount, frameCount, flags, 0), mOverflow(false) { - LOGV("RecordTrack constructor, size %d", (int)mBufferEnd - (int)mBuffer); - if (format == AudioSystem::PCM_16_BIT) { - mCblk->frameSize = channelCount * sizeof(int16_t); - } else if (format == AudioSystem::PCM_8_BIT) { - mCblk->frameSize = channelCount * sizeof(int8_t); - } else { - mCblk->frameSize = sizeof(int8_t); - } + if (mCblk != NULL) { + LOGV("RecordTrack constructor, size %d", (int)mBufferEnd - (int)mBuffer); + if (format == AudioSystem::PCM_16_BIT) { + mCblk->frameSize = channelCount * sizeof(int16_t); + } else if (format == AudioSystem::PCM_8_BIT) { + mCblk->frameSize = channelCount * sizeof(int8_t); + } else { + mCblk->frameSize = sizeof(int8_t); + } + } } AudioFlinger::RecordThread::RecordTrack::~RecordTrack() -- cgit v1.1