diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp index a49b2cbb52..a0516936e5 100644 --- a/media/libaudioclient/IAudioPolicyService.cpp +++ b/media/libaudioclient/IAudioPolicyService.cpp @@ -989,7 +989,7 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_attributes_t attr; + audio_attributes_t attr = {}; bool hasAttributes = data.readInt32() != 0; if (hasAttributes) { data.read(&attr, sizeof(audio_attributes_t)); @@ -1058,7 +1058,7 @@ status_t BnAudioPolicyService::onTransact( case GET_INPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_attributes_t attr; + audio_attributes_t attr = {}; data.read(&attr, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attr); audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); @@ -1160,8 +1160,11 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - effect_descriptor_t desc; - data.read(&desc, sizeof(effect_descriptor_t)); + effect_descriptor_t desc = {}; + if (data.read(&desc, sizeof(desc)) != NO_ERROR) { + android_errorWriteLog(0x534e4554, "73126106"); + } + (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t output = getOutputForEffect(&desc); reply->writeInt32(static_cast (output)); return NO_ERROR; @@ -1169,8 +1172,11 @@ status_t BnAudioPolicyService::onTransact( case REGISTER_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - effect_descriptor_t desc; - data.read(&desc, sizeof(effect_descriptor_t)); + effect_descriptor_t desc = {}; + if (data.read(&desc, sizeof(desc)) != NO_ERROR) { + android_errorWriteLog(0x534e4554, "73126106"); + } + (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t io = data.readInt32(); uint32_t strategy = data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); @@ -1229,7 +1235,7 @@ status_t BnAudioPolicyService::onTransact( count = AudioEffect::kMaxPreProcessing; } uint32_t retCount = count; - effect_descriptor_t *descriptors = new effect_descriptor_t[count]; + effect_descriptor_t *descriptors = new effect_descriptor_t[count]{}; status_t status = queryDefaultPreProcessing(audioSession, descriptors, &retCount); reply->writeInt32(status); if (status != NO_ERROR && status != NO_MEMORY) { @@ -1248,7 +1254,7 @@ status_t BnAudioPolicyService::onTransact( case IS_OFFLOAD_SUPPORTED: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_offload_info_t info; + audio_offload_info_t info = {}; data.read(&info, sizeof(audio_offload_info_t)); bool isSupported = isOffloadSupported(info); reply->writeInt32(isSupported); @@ -1303,7 +1309,7 @@ status_t BnAudioPolicyService::onTransact( case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_patch patch; + struct audio_patch patch = {}; data.read(&patch, sizeof(struct audio_patch)); audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { @@ -1319,7 +1325,7 @@ status_t BnAudioPolicyService::onTransact( case RELEASE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_patch_handle_t handle; + audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; data.read(&handle, sizeof(audio_patch_handle_t)); status_t status = releaseAudioPatch(handle); reply->writeInt32(status); @@ -1358,8 +1364,9 @@ status_t BnAudioPolicyService::onTransact( case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_port_config config; + struct audio_port_config config = {}; data.read(&config, sizeof(struct audio_port_config)); + (void)sanitizeAudioPortConfig(&config); status_t status = setAudioPortConfig(&config); reply->writeInt32(status); return NO_ERROR; @@ -1433,9 +1440,10 @@ status_t BnAudioPolicyService::onTransact( case START_AUDIO_SOURCE: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_port_config source; + struct audio_port_config source = {}; data.read(&source, sizeof(struct audio_port_config)); - audio_attributes_t attributes; + (void)sanitizeAudioPortConfig(&source); + audio_attributes_t attributes = {}; data.read(&attributes, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attributes); audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; @@ -1488,6 +1496,14 @@ status_t BnAudioPolicyService::onTransact( } } +/** returns true if string overflow was prevented by zero termination */ +template +static bool preventStringOverflow(char (&s)[size]) { + if (strnlen(s, size) < size) return false; + s[size - 1] = '\0'; + return true; +} + void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) { const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; @@ -1497,6 +1513,27 @@ void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) attr->tags[tagsMaxSize - 1] = '\0'; } +/** returns BAD_VALUE if sanitization was required. */ +status_t BnAudioPolicyService::sanitizeEffectDescriptor(effect_descriptor_t* desc) +{ + if (preventStringOverflow(desc->name) + | /* always */ preventStringOverflow(desc->implementor)) { + android_errorWriteLog(0x534e4554, "73126106"); // SafetyNet logging + return BAD_VALUE; + } + return NO_ERROR; +} + +/** returns BAD_VALUE if sanitization was required. */ +status_t BnAudioPolicyService::sanitizeAudioPortConfig(struct audio_port_config* config) +{ + if (config->type == AUDIO_PORT_TYPE_DEVICE && + preventStringOverflow(config->ext.device.address)) { + return BAD_VALUE; + } + return NO_ERROR; +} + // ---------------------------------------------------------------------------- } // namespace android diff --git a/media/libaudioclient/include/media/IAudioPolicyService.h b/media/libaudioclient/include/media/IAudioPolicyService.h index 949d593dcd..1114eeb785 100644 --- a/media/libaudioclient/include/media/IAudioPolicyService.h +++ b/media/libaudioclient/include/media/IAudioPolicyService.h @@ -180,6 +180,8 @@ public: uint32_t flags = 0); private: void sanetizeAudioAttributes(audio_attributes_t* attr); + status_t sanitizeEffectDescriptor(effect_descriptor_t* desc); + status_t sanitizeAudioPortConfig(struct audio_port_config* config); }; // ----------------------------------------------------------------------------