From f4aeab2bd69bead05ed75ae3254f53a6ab2316b5 Mon Sep 17 00:00:00 2001
From: Andy Hung <hunga@google.com>
Date: Mon, 12 Jun 2017 17:22:46 -0700
Subject: [PATCH] Track: Check buffer size of static tracks

Merged-In: Ia7edd9a802905214a27961dbcec6352f6ef98f73
Test: Native POC
Bug: 38340117
Change-Id: I633caf563d3607dbe4b9be10be1687efce33469c
---
 services/audioflinger/Tracks.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp
index 95fb223c3f..a0be96c305 100644
--- a/services/audioflinger/Tracks.cpp
+++ b/services/audioflinger/Tracks.cpp
@@ -437,6 +437,21 @@ AudioFlinger::PlaybackThread::Track::Track(
         mAudioTrackServerProxy = new AudioTrackServerProxy(mCblk, mBuffer, frameCount,
                 mFrameSize, !isExternalTrack(), sampleRate);
     } else {
+        // Is the shared buffer of sufficient size?
+        // (frameCount * mFrameSize) is <= SIZE_MAX, checked in TrackBase.
+        if (sharedBuffer->size() < frameCount * mFrameSize) {
+            // Workaround: clear out mCblk to indicate track hasn't been properly created.
+            mCblk->~audio_track_cblk_t();   // destroy our shared-structure.
+            if (mClient == 0) {
+                free(mCblk);
+            }
+            mCblk = NULL;
+
+            mSharedBuffer.clear(); // release shared buffer early
+            android_errorWriteLog(0x534e4554, "38340117");
+            return;
+        }
+
         mAudioTrackServerProxy = new StaticAudioTrackServerProxy(mCblk, mBuffer, frameCount,
                 mFrameSize);
     }