Gitiles
Code Review Sign In
review.evervolv.com / android_frameworks_av / 9d003131329450081c8129b3fddd85cf20d2d9d9^! / .
commit9d003131329450081c8129b3fddd85cf20d2d9d9[log] [tgz]
authorGlenn Kasten <gkasten@google.com>Wed Apr 06 14:38:09 2016 -0700
committerGlenn Kasten <gkasten@google.com>Wed Apr 06 22:55:24 2016 +0000
tree787230db6b4b5417e5fd345e2d1ca9979434ebfd
parent4d363d4625588bf2007d31c244c83b0965d834b4 [diff]
Check newAudioUniqueId() parameter 'use'

Bug: 28025366
Change-Id: Ice81e47cb919aa2aa6c78ccadebe9a1f19668f9c

diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp
index e5c7177..208dc8b 100644
--- a/services/audioflinger/AudioFlinger.cpp
+++ b/services/audioflinger/AudioFlinger.cpp

@@ -2258,6 +2258,12 @@
 
 audio_unique_id_t AudioFlinger::newAudioUniqueId(audio_unique_id_use_t use)
 {
+    // This is a binder API, so a malicious client could pass in a bad parameter.
+    // Check for that before calling the internal API nextUniqueId().
+    if ((unsigned) use >= (unsigned) AUDIO_UNIQUE_ID_USE_MAX) {
+        ALOGE("newAudioUniqueId invalid use %d", use);
+        return AUDIO_UNIQUE_ID_ALLOCATE;
+    }
     return nextUniqueId(use);
 }
 
@@ -2421,6 +2427,7 @@
     int32_t base = android_atomic_add(AUDIO_UNIQUE_ID_USE_MAX, &mNextUniqueId);
     // We have no way of recovering from wraparound
     LOG_ALWAYS_FATAL_IF(base == 0, "unique ID overflow");
+    // This is the internal API, so it is OK to assert on bad parameter.
     LOG_ALWAYS_FATAL_IF((unsigned) use >= (unsigned) AUDIO_UNIQUE_ID_USE_MAX);
     ALOG_ASSERT(audio_unique_id_get_use(base) == AUDIO_UNIQUE_ID_USE_UNSPECIFIED);
     return (audio_unique_id_t) (base | use);

diff --git a/services/audioflinger/AudioFlinger.h b/services/audioflinger/AudioFlinger.h
index f11fd1c..498c33e 100644
--- a/services/audioflinger/AudioFlinger.h
+++ b/services/audioflinger/AudioFlinger.h

@@ -196,6 +196,7 @@
 
     virtual uint32_t getInputFramesLost(audio_io_handle_t ioHandle) const;
 
+    // This is the binder API.  For the internal API see nextUniqueId().
     virtual audio_unique_id_t newAudioUniqueId(audio_unique_id_use_t use);
 
     virtual void acquireAudioSessionId(audio_session_t audioSession, pid_t pid);
@@ -559,6 +560,7 @@
               //       or from positive to negative (for signed IDs).
               //       Thus it may fail by returning an ID of the wrong sign,
               //       or by returning a non-unique ID.
+              // This is the internal API.  For the binder API see newAudioUniqueId().
               audio_unique_id_t nextUniqueId(audio_unique_id_use_t use);
 
               status_t moveEffectChain_l(audio_session_t sessionId,