Audio HAL: Check for buffer size overflow

The audio buffer size is not provided by the client, it is computed from
the sample size and the number of sample.

No check was done as if the multiplication of these two numbers would
produce an overflow. This leaded to erroneous memory access crashing the
media server.

Test: Run on target
Bug: 36311550

Change-Id: I3436800ab6ac1b5e6a6aa4d03d6b96910eb54652
Signed-off-by: Kevin Rocard <krocard@google.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/audio/2.0/default/StreamIn.cpp b/audio/2.0/default/StreamIn.cpp
index 97f8307bdf..4b7915117e 100644
--- a/audio/2.0/default/StreamIn.cpp
+++ b/audio/2.0/default/StreamIn.cpp
@@ -313,8 +313,14 @@ Return<void> StreamIn::prepareForReading(
         return Void();
     }
     std::unique_ptr<CommandMQ> tempCommandMQ(new CommandMQ(1));
-    std::unique_ptr<DataMQ> tempDataMQ(
-            new DataMQ(frameSize * framesCount, true /* EventFlag */));
+    if (frameSize > std::numeric_limits<size_t>::max() / framesCount) {
+        ALOGE("Requested buffer is too big, %d*%d can not fit in size_t", frameSize, framesCount);
+        _hidl_cb(Result::INVALID_ARGUMENTS,
+                CommandMQ::Descriptor(), DataMQ::Descriptor(), StatusMQ::Descriptor(), threadInfo);
+        return Void();
+    }
+    std::unique_ptr<DataMQ> tempDataMQ(new DataMQ(frameSize * framesCount, true /* EventFlag */));
+
     std::unique_ptr<StatusMQ> tempStatusMQ(new StatusMQ(1));
     if (!tempCommandMQ->isValid() || !tempDataMQ->isValid() || !tempStatusMQ->isValid()) {
         ALOGE_IF(!tempCommandMQ->isValid(), "command MQ is invalid");