Check newAudioUniqueId() parameter 'use' Bug: 28025366 Change-Id: Ice81e47cb919aa2aa6c78ccadebe9a1f19668f9c

commit: 9d003131329450081c8129b3fddd85cf20d2d9d9 [log] [tgz]
author: Glenn Kasten <gkasten@google.com> Wed Apr 06 14:38:09 2016 -0700
committer: Glenn Kasten <gkasten@google.com> Wed Apr 06 22:55:24 2016 +0000
tree: 787230db6b4b5417e5fd345e2d1ca9979434ebfd
parent: 4d363d4625588bf2007d31c244c83b0965d834b4 [diff] [blame]
diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp
index e5c7177..208dc8b 100644
--- a/services/audioflinger/AudioFlinger.cpp
+++ b/services/audioflinger/AudioFlinger.cpp

@@ -2258,6 +2258,12 @@
 
 audio_unique_id_t AudioFlinger::newAudioUniqueId(audio_unique_id_use_t use)
 {
+    // This is a binder API, so a malicious client could pass in a bad parameter.
+    // Check for that before calling the internal API nextUniqueId().
+    if ((unsigned) use >= (unsigned) AUDIO_UNIQUE_ID_USE_MAX) {
+        ALOGE("newAudioUniqueId invalid use %d", use);
+        return AUDIO_UNIQUE_ID_ALLOCATE;
+    }
     return nextUniqueId(use);
 }
 
@@ -2421,6 +2427,7 @@
     int32_t base = android_atomic_add(AUDIO_UNIQUE_ID_USE_MAX, &mNextUniqueId);
     // We have no way of recovering from wraparound
     LOG_ALWAYS_FATAL_IF(base == 0, "unique ID overflow");
+    // This is the internal API, so it is OK to assert on bad parameter.
     LOG_ALWAYS_FATAL_IF((unsigned) use >= (unsigned) AUDIO_UNIQUE_ID_USE_MAX);
     ALOG_ASSERT(audio_unique_id_get_use(base) == AUDIO_UNIQUE_ID_USE_UNSPECIFIED);
     return (audio_unique_id_t) (base | use);
commit	9d003131329450081c8129b3fddd85cf20d2d9d9	[log] [tgz]
author	Glenn Kasten <gkasten@google.com>	Wed Apr 06 14:38:09 2016 -0700
committer	Glenn Kasten <gkasten@google.com>	Wed Apr 06 22:55:24 2016 +0000
tree	787230db6b4b5417e5fd345e2d1ca9979434ebfd
parent	4d363d4625588bf2007d31c244c83b0965d834b4 [diff] [blame]