aaudio: protect against null client

AAudioService would fail if a null client was passed.
Two null checks were added. One where we know the null
client first appears. And one where the client is first used
in case other calls are passing null.

Bug: 116230453
Test: Bug has a POC apk that triggers the bug.
Test: Look for messages like:
Test:      AAudio  : BnAAudioService::onTransact() client is NULL!
Change-Id: Id9c4fc154226ab40df97335da8bc9361cfc99a73

media/libaaudio/src/binding/IAAudioService.cpp

@@ -251,8 +251,15 @@ status_t BnAAudioService::onTransact(uint32_t code, const Parcel& data,
             CHECK_INTERFACE(IAAudioService, data, reply);
             sp<IAAudioClient> client = interface_cast<IAAudioClient>(
                     data.readStrongBinder());
-            registerClient(client);
-            return NO_ERROR;
+            // readStrongBinder() can return null
+            if (client.get() == nullptr) {
+                ALOGE("BnAAudioService::%s(REGISTER_CLIENT) client is NULL!", __func__);
+                android_errorWriteLog(0x534e4554, "116230453");
+                return DEAD_OBJECT;
+            } else {
+                registerClient(client);
+                return NO_ERROR;
+            }
         } break;
 
         case OPEN_STREAM: {

services/oboeservice/AAudioClientTracker.cpp

@@ -67,6 +67,12 @@ aaudio_result_t AAudioClientTracker::registerClient(pid_t pid,
                                          const sp<IAAudioClient>& client) {
     ALOGV("registerClient(), calling pid = %d, getpid() = %d\n", pid, getpid());
 
+    if (client.get() == nullptr) {
+        ALOGE("AAudioClientTracker::%s() client is NULL!", __func__);
+        android_errorWriteLog(0x534e4554, "116230453");
+        return AAUDIO_ERROR_NULL;
+    }
+
     std::lock_guard<std::mutex> lock(mLock);
     if (mNotificationClients.count(pid) == 0) {
         sp<NotificationClient> notificationClient = new NotificationClient(pid);