diff options
| author | Mikhail Naganov <mnaganov@google.com> | 2019-11-21 14:03:19 -0800 |
|---|---|---|
| committer | Mikhail Naganov <mnaganov@google.com> | 2019-11-21 14:05:45 -0800 |
| commit | 2a652cec4b981ac50a00fc22f8393bf4a7f02f0a (patch) | |
| tree | 41c6d831f9009ba0a621884f38e4a3ccdf1aaa7a /audio/effect/all-versions/default/Effect.cpp | |
| parent | 69472910fd1745b41abf55836e2bc1ae0b1b5457 (diff) | |
audio effect: Avoid using stack-allocated arrays
This is to prevent OOB write in case when a sufficiently
large HIDL vector is provided via a HwBinder call.
Bug: 143787559
Test: atest VtsHalAudioEffectV5_0TargetTest
Change-Id: I6ea78804a5a3ed7a245929d3de47580b12c0da9a
Diffstat (limited to 'audio/effect/all-versions/default/Effect.cpp')
| -rw-r--r-- | audio/effect/all-versions/default/Effect.cpp | 28 |
1 files changed, 12 insertions, 16 deletions
diff --git a/audio/effect/all-versions/default/Effect.cpp b/audio/effect/all-versions/default/Effect.cpp index 0afa779f03..e11e123038 100644 --- a/audio/effect/all-versions/default/Effect.cpp +++ b/audio/effect/all-versions/default/Effect.cpp @@ -307,12 +307,11 @@ void Effect::getConfigImpl(int commandCode, const char* commandName, GetConfigCa Result Effect::getCurrentConfigImpl(uint32_t featureId, uint32_t configSize, GetCurrentConfigSuccessCallback onSuccess) { uint32_t halCmd = featureId; - uint32_t halResult[alignedSizeIn<uint32_t>(sizeof(uint32_t) + configSize)]; - memset(halResult, 0, sizeof(halResult)); + std::vector<uint32_t> halResult(alignedSizeIn<uint32_t>(sizeof(uint32_t) + configSize), 0); uint32_t halResultSize = 0; - return sendCommandReturningStatusAndData(EFFECT_CMD_GET_FEATURE_CONFIG, "GET_FEATURE_CONFIG", - sizeof(uint32_t), &halCmd, &halResultSize, halResult, - sizeof(uint32_t), [&] { onSuccess(&halResult[1]); }); + return sendCommandReturningStatusAndData( + EFFECT_CMD_GET_FEATURE_CONFIG, "GET_FEATURE_CONFIG", sizeof(uint32_t), &halCmd, + &halResultSize, &halResult[0], sizeof(uint32_t), [&] { onSuccess(&halResult[1]); }); } Result Effect::getParameterImpl(uint32_t paramSize, const void* paramData, @@ -339,8 +338,7 @@ Result Effect::getSupportedConfigsImpl(uint32_t featureId, uint32_t maxConfigs, GetSupportedConfigsSuccessCallback onSuccess) { uint32_t halCmd[2] = {featureId, maxConfigs}; uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * sizeof(configSize); - uint8_t halResult[halResultSize]; - memset(&halResult[0], 0, halResultSize); + std::vector<uint8_t> halResult(static_cast<size_t>(halResultSize), 0); return sendCommandReturningStatusAndData( EFFECT_CMD_GET_FEATURE_SUPPORTED_CONFIGS, "GET_FEATURE_SUPPORTED_CONFIGS", sizeof(halCmd), halCmd, &halResultSize, &halResult[0], 2 * sizeof(uint32_t), [&] { @@ -519,9 +517,9 @@ Return<void> Effect::setAndGetVolume(const hidl_vec<uint32_t>& volumes, uint32_t halDataSize; std::unique_ptr<uint8_t[]> halData = hidlVecToHal(volumes, &halDataSize); uint32_t halResultSize = halDataSize; - uint32_t halResult[volumes.size()]; + std::vector<uint32_t> halResult(volumes.size(), 0); Result retval = sendCommandReturningData(EFFECT_CMD_SET_VOLUME, "SET_VOLUME", halDataSize, - &halData[0], &halResultSize, halResult); + &halData[0], &halResultSize, &halResult[0]); hidl_vec<uint32_t> result; if (retval == Result::OK) { result.setToExternal(&halResult[0], halResultSize); @@ -581,8 +579,6 @@ Return<void> Effect::getSupportedAuxChannelsConfigs(uint32_t maxConfigs, } Return<void> Effect::getAuxChannelsConfig(getAuxChannelsConfig_cb _hidl_cb) { - uint32_t halResult[alignedSizeIn<uint32_t>(sizeof(uint32_t) + sizeof(channel_config_t))]; - memset(halResult, 0, sizeof(halResult)); EffectAuxChannelsConfig result; Result retval = getCurrentConfigImpl( EFFECT_FEATURE_AUX_CHANNELS, sizeof(channel_config_t), [&](void* configData) { @@ -594,11 +590,12 @@ Return<void> Effect::getAuxChannelsConfig(getAuxChannelsConfig_cb _hidl_cb) { } Return<Result> Effect::setAuxChannelsConfig(const EffectAuxChannelsConfig& config) { - uint32_t halCmd[alignedSizeIn<uint32_t>(sizeof(uint32_t) + sizeof(channel_config_t))]; + std::vector<uint32_t> halCmd( + alignedSizeIn<uint32_t>(sizeof(uint32_t) + sizeof(channel_config_t)), 0); halCmd[0] = EFFECT_FEATURE_AUX_CHANNELS; effectAuxChannelsConfigToHal(config, reinterpret_cast<channel_config_t*>(&halCmd[1])); return sendCommandReturningStatus(EFFECT_CMD_SET_FEATURE_CONFIG, - "SET_FEATURE_CONFIG AUX_CHANNELS", sizeof(halCmd), halCmd); + "SET_FEATURE_CONFIG AUX_CHANNELS", halCmd.size(), &halCmd[0]); } Return<Result> Effect::setAudioSource(AudioSource source) { @@ -692,12 +689,11 @@ Return<void> Effect::getCurrentConfigForFeature(uint32_t featureId, uint32_t con Return<Result> Effect::setCurrentConfigForFeature(uint32_t featureId, const hidl_vec<uint8_t>& configData) { - uint32_t halCmd[alignedSizeIn<uint32_t>(sizeof(uint32_t) + configData.size())]; - memset(halCmd, 0, sizeof(halCmd)); + std::vector<uint32_t> halCmd(alignedSizeIn<uint32_t>(sizeof(uint32_t) + configData.size()), 0); halCmd[0] = featureId; memcpy(&halCmd[1], &configData[0], configData.size()); return sendCommandReturningStatus(EFFECT_CMD_SET_FEATURE_CONFIG, "SET_FEATURE_CONFIG", - sizeof(halCmd), halCmd); + halCmd.size(), &halCmd[0]); } Return<Result> Effect::close() { |