diff options
| author | Kevin Rocard <krocard@google.com> | 2017-11-13 11:15:27 -0800 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-12-14 21:10:49 +0000 |
| commit | 9c8bf056282f7094405414a3f0765aac85579506 (patch) | |
| tree | a0a4b68c895c0603bfa7eea77f0115e06ea1dacd | |
| parent | 7bb7dfb72a0011f63063879df90ef67dece5c0c9 (diff) | |
| download | av-9c8bf056282f7094405414a3f0765aac85579506.tar.gz | |
IAudioPolicyService: Add attribute tags sanitization
When audio_attributes_t was read from the binder parcel,
the string tags field was copied without checking that
it contained a '\0'.
This could lead to read past the end when tags were used.
This patch always adds a '\0' at the end of the buffer when
deserializing.
Bug: 68953950
Test: manual playback/record
Test: send binder payload without \0 in tags attribute, check that only
AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed.
Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Signed-off-by: Kevin Rocard <krocard@google.com>
(cherry picked from commit 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e)
| -rw-r--r-- | media/libaudioclient/IAudioPolicyService.cpp | 12 | ||||
| -rw-r--r-- | media/libaudioclient/include/media/IAudioPolicyService.h | 2 |
2 files changed, 14 insertions, 0 deletions
diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp index ceba211466..d838975fba 100644 --- a/media/libaudioclient/IAudioPolicyService.cpp +++ b/media/libaudioclient/IAudioPolicyService.cpp @@ -960,6 +960,7 @@ status_t BnAudioPolicyService::onTransact( bool hasAttributes = data.readInt32() != 0; if (hasAttributes) { data.read(&attr, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attr); } audio_session_t session = (audio_session_t)data.readInt32(); audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; @@ -1025,6 +1026,7 @@ status_t BnAudioPolicyService::onTransact( CHECK_INTERFACE(IAudioPolicyService, data, reply); audio_attributes_t attr; data.read(&attr, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attr); audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); pid_t pid = (pid_t)data.readInt32(); @@ -1400,6 +1402,7 @@ status_t BnAudioPolicyService::onTransact( data.read(&source, sizeof(struct audio_port_config)); audio_attributes_t attributes; data.read(&attributes, sizeof(audio_attributes_t)); + sanetizeAudioAttributes(&attributes); audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; status_t status = startAudioSource(&source, &attributes, &handle); reply->writeInt32(status); @@ -1450,6 +1453,15 @@ status_t BnAudioPolicyService::onTransact( } } +void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) +{ + const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; + if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { + android_errorWriteLog(0x534e4554, "68953950"); // SafetyNet logging + } + attr->tags[tagsMaxSize - 1] = '\0'; +} + // ---------------------------------------------------------------------------- } // namespace android diff --git a/media/libaudioclient/include/media/IAudioPolicyService.h b/media/libaudioclient/include/media/IAudioPolicyService.h index 9b3e35ea57..60ba4ba28b 100644 --- a/media/libaudioclient/include/media/IAudioPolicyService.h +++ b/media/libaudioclient/include/media/IAudioPolicyService.h @@ -183,6 +183,8 @@ public: const Parcel& data, Parcel* reply, uint32_t flags = 0); +private: + void sanetizeAudioAttributes(audio_attributes_t* attr); }; // ---------------------------------------------------------------------------- |