audio: Add checks to effects feature configs retrieval

The size of the feature config needs to be limited by the Binder transaction size. This check is enforced before calling into legacy C API. Also, fixed invalid calculation of buffer size in Effect::getSupportedConfigsImpl. Bug: 240266798 Test: atest VtsHalAudioEffectV7_0TargetTest Change-Id: I1a1f7931a07e28642967fa68d9a358429138db29
author: Mikhail Naganov <mnaganov@google.com> 2022-09-01 00:31:43 +0000
committer: Mikhail Naganov <mnaganov@google.com> 2022-09-01 00:35:52 +0000
commit: 8e3480edfe9933306f82c1656deb8e6b7090273c (patch)
tree: c03bd78d5711174a1d87b75082d9f4ba29503ed6 /audio/effect/all-versions/default/Effect.cpp
parent: 44c3a78ff196ab518c05086f28bdb27cdf7df405 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/audio/effect/all-versions/default/Effect.cpp b/audio/effect/all-versions/default/Effect.cpp
index def3a3f3fb..b57dc63368 100644
--- a/audio/effect/all-versions/default/Effect.cpp
+++ b/audio/effect/all-versions/default/Effect.cpp
@@ -316,6 +316,11 @@ void Effect::getConfigImpl(int commandCode, const char* commandName, GetConfigCa
 
 Result Effect::getCurrentConfigImpl(uint32_t featureId, uint32_t configSize,
                                     GetCurrentConfigSuccessCallback onSuccess) {
+    if (configSize > kMaxDataSize - sizeof(uint32_t)) {
+        ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+        android_errorWriteLog(0x534e4554, "240266798");
+        return Result::INVALID_ARGUMENTS;
+    }
     uint32_t halCmd = featureId;
     std::vector<uint32_t> halResult(alignedSizeIn<uint32_t>(sizeof(uint32_t) + configSize), 0);
     uint32_t halResultSize = 0;
@@ -350,8 +355,12 @@ Result Effect::getParameterImpl(uint32_t paramSize, const void* paramData,
 
 Result Effect::getSupportedConfigsImpl(uint32_t featureId, uint32_t maxConfigs, uint32_t configSize,
                                        GetSupportedConfigsSuccessCallback onSuccess) {
+    if (maxConfigs != 0 && configSize > (kMaxDataSize - 2 * sizeof(uint32_t)) / maxConfigs) {
+        ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+        return Result::INVALID_ARGUMENTS;
+    }
     uint32_t halCmd[2] = {featureId, maxConfigs};
-    uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * sizeof(configSize);
+    uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * configSize;
     std::vector<uint8_t> halResult(static_cast<size_t>(halResultSize), 0);
     return sendCommandReturningStatusAndData(
         EFFECT_CMD_GET_FEATURE_SUPPORTED_CONFIGS, "GET_FEATURE_SUPPORTED_CONFIGS", sizeof(halCmd),
author	Mikhail Naganov <mnaganov@google.com>	2022-09-01 00:31:43 +0000
committer	Mikhail Naganov <mnaganov@google.com>	2022-09-01 00:35:52 +0000
commit	8e3480edfe9933306f82c1656deb8e6b7090273c (patch)
tree	c03bd78d5711174a1d87b75082d9f4ba29503ed6 /audio/effect/all-versions/default/Effect.cpp
parent	44c3a78ff196ab518c05086f28bdb27cdf7df405 (diff)