From e038d1a32023ec3739a440bad4a6a3751a936e7a Mon Sep 17 00:00:00 2001 From: Xinyue Ling Date: Wed, 9 Feb 2022 14:14:25 +0800 Subject: WiFi: Use snprintf in place of sprintf Replace sprintf with snprintf as sprintf is deprecated. CRs-Fixed: 3126745 Change-Id: Ibb8c8cebf6cc8c17defeb833b2ec519bad71a2f5 --- wifi/1.5/default/wifi_chip.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wifi/1.5/default/wifi_chip.cpp b/wifi/1.5/default/wifi_chip.cpp index def8bb8226..afbff5e25d 100644 --- a/wifi/1.5/default/wifi_chip.cpp +++ b/wifi/1.5/default/wifi_chip.cpp @@ -233,7 +233,7 @@ bool cpioWriteHeader(int out_fd, struct stat& st, const char* file_name, size_t file_name_len) { std::array read_buf; ssize_t llen = - sprintf(read_buf.data(), + snprintf(read_buf.data(), read_buf.size(), "%s%08X%08X%08X%08X%08X%08X%08X%08X%08X%08X%08X%08X%08X", kCpioMagic, static_cast(st.st_ino), st.st_mode, st.st_uid, st.st_gid, static_cast(st.st_nlink), @@ -301,8 +301,8 @@ bool cpioWriteFileTrailer(int out_fd) { std::array read_buf; read_buf.fill(0); if (write(out_fd, read_buf.data(), - sprintf(read_buf.data(), "070701%040X%056X%08XTRAILER!!!", 1, - 0x0b, 0) + + snprintf(read_buf.data(), read_buf.size(), + "070701%040X%056X%08XTRAILER!!!", 1, 0x0b, 0) + 4) == -1) { PLOG(ERROR) << "Error writing trailing bytes"; return false; -- cgit v1.2.3 From fbfadba9f0255a972b960e46e44c68c2b11afda3 Mon Sep 17 00:00:00 2001 From: jiabin Date: Thu, 7 Jul 2022 18:13:45 +0000 Subject: Fix array out of bound in audioTransportToHal. The number of audio profile and extra audio descriptor must not be greater than the maximum value. Bug: 237288416 Bug: 237717857 Test: repo step in bug Test: atest android.hardware.audio.common@7.0-util_tests Change-Id: I1fcfa29d7841a1cb73bafb1ea92f3b1630992ae9 Merged-In: I1fcfa29d7841a1cb73bafb1ea92f3b1630992ae9 (cherry picked from commit 0ee75ca925f6334741d3e34c5e1d1b0efae5943b) (cherry picked from commit f16c6d3a5741768356159f099d04bfe2219c81fe) Merged-In: I1fcfa29d7841a1cb73bafb1ea92f3b1630992ae9 --- .../common/all-versions/default/7.0/HidlUtils.cpp | 5 +-- .../all-versions/default/tests/hidlutils_tests.cpp | 42 +++++++++++++++++----- 2 files changed, 36 insertions(+), 11 deletions(-) diff --git a/audio/common/all-versions/default/7.0/HidlUtils.cpp b/audio/common/all-versions/default/7.0/HidlUtils.cpp index 5a5b5d276a..af29da61f3 100644 --- a/audio/common/all-versions/default/7.0/HidlUtils.cpp +++ b/audio/common/all-versions/default/7.0/HidlUtils.cpp @@ -894,7 +894,7 @@ status_t HidlUtils::audioTransportsToHal(const hidl_vec& transpo for (const auto& transport : transports) { switch (transport.audioCapability.getDiscriminator()) { case AudioTransport::AudioCapability::hidl_discriminator::profile: - if (halPort->num_audio_profiles > AUDIO_PORT_MAX_AUDIO_PROFILES) { + if (halPort->num_audio_profiles >= AUDIO_PORT_MAX_AUDIO_PROFILES) { ALOGE("%s, too many audio profiles", __func__); result = BAD_VALUE; break; @@ -910,7 +910,8 @@ status_t HidlUtils::audioTransportsToHal(const hidl_vec& transpo result); break; case AudioTransport::AudioCapability::hidl_discriminator::edid: - if (halPort->num_extra_audio_descriptors > AUDIO_PORT_MAX_EXTRA_AUDIO_DESCRIPTORS) { + if (halPort->num_extra_audio_descriptors >= + AUDIO_PORT_MAX_EXTRA_AUDIO_DESCRIPTORS) { ALOGE("%s, too many extra audio descriptors", __func__); result = BAD_VALUE; break; diff --git a/audio/common/all-versions/default/tests/hidlutils_tests.cpp b/audio/common/all-versions/default/tests/hidlutils_tests.cpp index c9e6fac7b2..33ed3b99bb 100644 --- a/audio/common/all-versions/default/tests/hidlutils_tests.cpp +++ b/audio/common/all-versions/default/tests/hidlutils_tests.cpp @@ -954,6 +954,18 @@ TEST(HidlUtils, ConvertAudioPortConfig) { EXPECT_TRUE(audio_port_configs_are_equal(&halConfig, &halConfigBack)); } +static AudioProfile generateValidAudioProfile() { + AudioProfile profile; + profile.format = toString(xsd::AudioFormat::AUDIO_FORMAT_PCM_16_BIT); + profile.sampleRates.resize(2); + profile.sampleRates[0] = 44100; + profile.sampleRates[1] = 48000; + profile.channelMasks.resize(2); + profile.channelMasks[0] = toString(xsd::AudioChannelMask::AUDIO_CHANNEL_OUT_MONO); + profile.channelMasks[1] = toString(xsd::AudioChannelMask::AUDIO_CHANNEL_OUT_STEREO); + return profile; +} + TEST(HidlUtils, ConvertInvalidAudioTransports) { hidl_vec invalid; struct audio_port_v7 halInvalid = {}; @@ -973,20 +985,32 @@ TEST(HidlUtils, ConvertInvalidAudioTransports) { invalid[0].audioCapability.edid(hidl_vec(EXTRA_AUDIO_DESCRIPTOR_SIZE + 1)); invalid[1].encapsulationType = "random string"; EXPECT_EQ(BAD_VALUE, HidlUtils::audioTransportsToHal(invalid, &halInvalid)); + + // The size of audio profile must not be greater than the maximum value. + invalid.resize(0); + invalid.resize(AUDIO_PORT_MAX_AUDIO_PROFILES + 1); + for (size_t i = 0; i < invalid.size(); ++i) { + invalid[i].audioCapability.profile(generateValidAudioProfile()); + invalid[i].encapsulationType = + toString(xsd::AudioEncapsulationType::AUDIO_ENCAPSULATION_TYPE_NONE); + } + EXPECT_EQ(BAD_VALUE, HidlUtils::audioTransportsToHal(invalid, &halInvalid)); + + // The size of extra audio descriptors must not be greater than the maximum value. + invalid.resize(0); + invalid.resize(AUDIO_PORT_MAX_EXTRA_AUDIO_DESCRIPTORS + 1); + for (size_t i = 0; i < invalid.size(); ++i) { + invalid[i].audioCapability.edid({0x11, 0x06, 0x01}); + invalid[i].encapsulationType = + toString(xsd::AudioEncapsulationType::AUDIO_ENCAPSULATION_TYPE_IEC61937); + } + EXPECT_EQ(BAD_VALUE, HidlUtils::audioTransportsToHal(invalid, &halInvalid)); } TEST(HidlUtils, ConvertAudioTransports) { hidl_vec transports; transports.resize(2); - AudioProfile profile; - profile.format = toString(xsd::AudioFormat::AUDIO_FORMAT_PCM_16_BIT); - profile.sampleRates.resize(2); - profile.sampleRates[0] = 44100; - profile.sampleRates[1] = 48000; - profile.channelMasks.resize(2); - profile.channelMasks[0] = toString(xsd::AudioChannelMask::AUDIO_CHANNEL_OUT_MONO); - profile.channelMasks[1] = toString(xsd::AudioChannelMask::AUDIO_CHANNEL_OUT_STEREO); - transports[0].audioCapability.profile(profile); + transports[0].audioCapability.profile(generateValidAudioProfile()); hidl_vec shortAudioDescriptor({0x11, 0x06, 0x01}); transports[0].encapsulationType = toString(xsd::AudioEncapsulationType::AUDIO_ENCAPSULATION_TYPE_NONE); -- cgit v1.2.3 From 55d4d1ae85df88cc9ee66cdd95739399b01384bc Mon Sep 17 00:00:00 2001 From: Michael Butler Date: Thu, 1 Dec 2022 16:42:22 -0800 Subject: Add additional bounds checks to NNAPI FMQ deserialize utility functions This CL adds the following additional bounds checks: * Adds additional checks of the index of the std::vector before accessing the element at the index * Changes the array index operator [] to the checked std::vector::at method Bug: 256589724 Test: mma Merged-In: I6bfb02a5cd76258284cc4d797a4508b21e672c4b Change-Id: I6bfb02a5cd76258284cc4d797a4508b21e672c4b (cherry picked from commit 082cefe34080b89e18868d8df5a97bd01f87b39c) Merged-In: I6bfb02a5cd76258284cc4d797a4508b21e672c4b --- .../1.2/utils/src/ExecutionBurstUtils.cpp | 56 +++++++++++++--------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/neuralnetworks/1.2/utils/src/ExecutionBurstUtils.cpp b/neuralnetworks/1.2/utils/src/ExecutionBurstUtils.cpp index 1bdde1e71a..38710cf3fd 100644 --- a/neuralnetworks/1.2/utils/src/ExecutionBurstUtils.cpp +++ b/neuralnetworks/1.2/utils/src/ExecutionBurstUtils.cpp @@ -192,12 +192,13 @@ nn::Result, V1_2::MeasureTiming>> size_t index = 0; // validate packet information - if (data.size() == 0 || data[index].getDiscriminator() != discriminator::packetInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::packetInformation) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage packet information - const FmqRequestDatum::PacketInformation& packetInfo = data[index].packetInformation(); + const FmqRequestDatum::PacketInformation& packetInfo = data.at(index).packetInformation(); index++; const uint32_t packetSize = packetInfo.packetSize; const uint32_t numberOfInputOperands = packetInfo.numberOfInputOperands; @@ -214,13 +215,14 @@ nn::Result, V1_2::MeasureTiming>> inputs.reserve(numberOfInputOperands); for (size_t operand = 0; operand < numberOfInputOperands; ++operand) { // validate input operand information - if (data[index].getDiscriminator() != discriminator::inputOperandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::inputOperandInformation) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage operand information const FmqRequestDatum::OperandInformation& operandInfo = - data[index].inputOperandInformation(); + data.at(index).inputOperandInformation(); index++; const bool hasNoValue = operandInfo.hasNoValue; const V1_0::DataLocation location = operandInfo.location; @@ -231,12 +233,13 @@ nn::Result, V1_2::MeasureTiming>> dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::inputOperandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::inputOperandDimensionValue) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage dimension - const uint32_t dimension = data[index].inputOperandDimensionValue(); + const uint32_t dimension = data.at(index).inputOperandDimensionValue(); index++; // store result @@ -253,13 +256,14 @@ nn::Result, V1_2::MeasureTiming>> outputs.reserve(numberOfOutputOperands); for (size_t operand = 0; operand < numberOfOutputOperands; ++operand) { // validate output operand information - if (data[index].getDiscriminator() != discriminator::outputOperandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::outputOperandInformation) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage operand information const FmqRequestDatum::OperandInformation& operandInfo = - data[index].outputOperandInformation(); + data.at(index).outputOperandInformation(); index++; const bool hasNoValue = operandInfo.hasNoValue; const V1_0::DataLocation location = operandInfo.location; @@ -270,12 +274,13 @@ nn::Result, V1_2::MeasureTiming>> dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::outputOperandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::outputOperandDimensionValue) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage dimension - const uint32_t dimension = data[index].outputOperandDimensionValue(); + const uint32_t dimension = data.at(index).outputOperandDimensionValue(); index++; // store result @@ -292,12 +297,13 @@ nn::Result, V1_2::MeasureTiming>> slots.reserve(numberOfPools); for (size_t pool = 0; pool < numberOfPools; ++pool) { // validate input operand information - if (data[index].getDiscriminator() != discriminator::poolIdentifier) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::poolIdentifier) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage operand information - const int32_t poolId = data[index].poolIdentifier(); + const int32_t poolId = data.at(index).poolIdentifier(); index++; // store result @@ -305,17 +311,17 @@ nn::Result, V1_2::MeasureTiming>> } // validate measureTiming - if (data[index].getDiscriminator() != discriminator::measureTiming) { + if (index >= data.size() || data.at(index).getDiscriminator() != discriminator::measureTiming) { return NN_ERROR() << "FMQ Request packet ill-formed"; } // unpackage measureTiming - const V1_2::MeasureTiming measure = data[index].measureTiming(); + const V1_2::MeasureTiming measure = data.at(index).measureTiming(); index++; // validate packet information if (index != packetSize) { - return NN_ERROR() << "FMQ Result packet ill-formed"; + return NN_ERROR() << "FMQ Request packet ill-formed"; } // return request @@ -330,12 +336,13 @@ nn::Result, V1_2::T size_t index = 0; // validate packet information - if (data.size() == 0 || data[index].getDiscriminator() != discriminator::packetInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::packetInformation) { return NN_ERROR() << "FMQ Result packet ill-formed"; } // unpackage packet information - const FmqResultDatum::PacketInformation& packetInfo = data[index].packetInformation(); + const FmqResultDatum::PacketInformation& packetInfo = data.at(index).packetInformation(); index++; const uint32_t packetSize = packetInfo.packetSize; const V1_0::ErrorStatus errorStatus = packetInfo.errorStatus; @@ -351,12 +358,13 @@ nn::Result, V1_2::T outputShapes.reserve(numberOfOperands); for (size_t operand = 0; operand < numberOfOperands; ++operand) { // validate operand information - if (data[index].getDiscriminator() != discriminator::operandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::operandInformation) { return NN_ERROR() << "FMQ Result packet ill-formed"; } // unpackage operand information - const FmqResultDatum::OperandInformation& operandInfo = data[index].operandInformation(); + const FmqResultDatum::OperandInformation& operandInfo = data.at(index).operandInformation(); index++; const bool isSufficient = operandInfo.isSufficient; const uint32_t numberOfDimensions = operandInfo.numberOfDimensions; @@ -366,12 +374,13 @@ nn::Result, V1_2::T dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::operandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::operandDimensionValue) { return NN_ERROR() << "FMQ Result packet ill-formed"; } // unpackage dimension - const uint32_t dimension = data[index].operandDimensionValue(); + const uint32_t dimension = data.at(index).operandDimensionValue(); index++; // store result @@ -383,12 +392,13 @@ nn::Result, V1_2::T } // validate execution timing - if (data[index].getDiscriminator() != discriminator::executionTiming) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::executionTiming) { return NN_ERROR() << "FMQ Result packet ill-formed"; } // unpackage execution timing - const V1_2::Timing timing = data[index].executionTiming(); + const V1_2::Timing timing = data.at(index).executionTiming(); index++; // validate packet information -- cgit v1.2.3 From ac3fe1c45df579fd3e2adf6bcdf7ec35cf26d03d Mon Sep 17 00:00:00 2001 From: Jack Pham Date: Mon, 17 Oct 2022 00:17:50 -0700 Subject: UsbGadgetHal: Add null check in getCurrentUsbFunctions() Avoid dereferencing if the callback parameter is null. Bug: 268085267 CRs-Fixed: 3313859 Change-Id: I9da79fd92f44abf0175e2ca311f0247b49bace1d --- usb/gadget/1.1/default/UsbGadget.cpp | 2 ++ usb/gadget/1.2/default/UsbGadget.cpp | 2 ++ 2 files changed, 4 insertions(+) diff --git a/usb/gadget/1.1/default/UsbGadget.cpp b/usb/gadget/1.1/default/UsbGadget.cpp index 36d865dc2e..0d0b4032d4 100644 --- a/usb/gadget/1.1/default/UsbGadget.cpp +++ b/usb/gadget/1.1/default/UsbGadget.cpp @@ -46,6 +46,8 @@ void currentFunctionsAppliedCallback(bool functionsApplied, void* payload) { } Return UsbGadget::getCurrentUsbFunctions(const sp& callback) { + if (!callback) return Void(); + Return ret = callback->getCurrentUsbFunctionsCb( mCurrentUsbFunctions, mCurrentUsbFunctionsApplied ? Status::FUNCTIONS_APPLIED : Status::FUNCTIONS_NOT_APPLIED); diff --git a/usb/gadget/1.2/default/UsbGadget.cpp b/usb/gadget/1.2/default/UsbGadget.cpp index 8dd229e0fd..a59e983f69 100644 --- a/usb/gadget/1.2/default/UsbGadget.cpp +++ b/usb/gadget/1.2/default/UsbGadget.cpp @@ -46,6 +46,8 @@ void currentFunctionsAppliedCallback(bool functionsApplied, void* payload) { } Return UsbGadget::getCurrentUsbFunctions(const sp& callback) { + if (!callback) return Void(); + Return ret = callback->getCurrentUsbFunctionsCb( mCurrentUsbFunctions, mCurrentUsbFunctionsApplied ? Status::FUNCTIONS_APPLIED : Status::FUNCTIONS_NOT_APPLIED); -- cgit v1.2.3