Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / 9b11c026344077dab9591bb8b9afdf3e7bd93eb1^! / . / services / soundtrigger / SoundTriggerHwService.cpp
commit9b11c026344077dab9591bb8b9afdf3e7bd93eb1[log] [tgz]
authorEric Laurent <elaurent@google.com>Wed Jun 06 19:19:22 2018 -0700
committerEric Laurent <elaurent@google.com>Thu Jun 07 16:50:45 2018 -0700
tree44bd2406c5d45c730437b4003535983df4d404f9
parent7e19897b405318df20eccb1d697a8ecccd70fbc7 [diff] [blame]
sound trigger: more checks on IMemory received from client

Add a verification on actual size of the fd backing up the IMemory
recevied for sound model or recognition config.

Fix similar problem for AudioTrack shared buffer.

Bug: 78596657
Test: run POC. OK Google regression.
Change-Id: I7cb02785f8ba46c437c7fcaa5b821f4b7e3240a0

diff --git a/services/soundtrigger/SoundTriggerHwService.cpp b/services/soundtrigger/SoundTriggerHwService.cpp
index 6bf6e94..eb9cd1d 100644
--- a/services/soundtrigger/SoundTriggerHwService.cpp
+++ b/services/soundtrigger/SoundTriggerHwService.cpp

@@ -562,10 +562,7 @@
     if (mHalInterface == 0) {
         return NO_INIT;
     }
-    if (modelMemory == 0 || modelMemory->pointer() == NULL) {
-        ALOGE("loadSoundModel() modelMemory is 0 or has NULL pointer()");
-        return BAD_VALUE;
-    }
+
     struct sound_trigger_sound_model *sound_model =
             (struct sound_trigger_sound_model *)modelMemory->pointer();
 
@@ -659,11 +656,6 @@
     if (mHalInterface == 0) {
         return NO_INIT;
     }
-    if (dataMemory == 0 || dataMemory->pointer() == NULL) {
-        ALOGE("startRecognition() dataMemory is 0 or has NULL pointer()");
-        return BAD_VALUE;
-
-    }
 
     struct sound_trigger_recognition_config *config =
             (struct sound_trigger_recognition_config *)dataMemory->pointer();
@@ -966,6 +958,9 @@
                                IPCThreadState::self()->getCallingUid())) {
         return PERMISSION_DENIED;
     }
+    if (checkIMemory(modelMemory) != NO_ERROR) {
+        return BAD_VALUE;
+    }
 
     sp<Module> module = mModule.promote();
     if (module == 0) {
@@ -997,6 +992,9 @@
                                IPCThreadState::self()->getCallingUid())) {
         return PERMISSION_DENIED;
     }
+    if (checkIMemory(dataMemory) != NO_ERROR) {
+        return BAD_VALUE;
+    }
 
     sp<Module> module = mModule.promote();
     if (module == 0) {