aaudio: protect against null client
AAudioService would fail if a null client was passed.
Two null checks were added. One where we know the null
client first appears. And one where the client is first used
in case other calls are passing null.
Bug: 116230453
Test: Bug has a POC apk that triggers the bug.
Test: Look for messages like:
Test: AAudio : BnAAudioService::onTransact() client is NULL!
Change-Id: Id9c4fc154226ab40df97335da8bc9361cfc99a73
diff --git a/media/libaaudio/src/binding/IAAudioService.cpp b/media/libaaudio/src/binding/IAAudioService.cpp
index 9b32543..97ad2b0 100644
--- a/media/libaaudio/src/binding/IAAudioService.cpp
+++ b/media/libaaudio/src/binding/IAAudioService.cpp
@@ -251,8 +251,15 @@
CHECK_INTERFACE(IAAudioService, data, reply);
sp<IAAudioClient> client = interface_cast<IAAudioClient>(
data.readStrongBinder());
- registerClient(client);
- return NO_ERROR;
+ // readStrongBinder() can return null
+ if (client.get() == nullptr) {
+ ALOGE("BnAAudioService::%s(REGISTER_CLIENT) client is NULL!", __func__);
+ android_errorWriteLog(0x534e4554, "116230453");
+ return DEAD_OBJECT;
+ } else {
+ registerClient(client);
+ return NO_ERROR;
+ }
} break;
case OPEN_STREAM: {
diff --git a/services/oboeservice/AAudioClientTracker.cpp b/services/oboeservice/AAudioClientTracker.cpp
index 83704ba..8572561 100644
--- a/services/oboeservice/AAudioClientTracker.cpp
+++ b/services/oboeservice/AAudioClientTracker.cpp
@@ -67,6 +67,12 @@
const sp<IAAudioClient>& client) {
ALOGV("registerClient(), calling pid = %d, getpid() = %d\n", pid, getpid());
+ if (client.get() == nullptr) {
+ ALOGE("AAudioClientTracker::%s() client is NULL!", __func__);
+ android_errorWriteLog(0x534e4554, "116230453");
+ return AAUDIO_ERROR_NULL;
+ }
+
std::lock_guard<std::mutex> lock(mLock);
if (mNotificationClients.count(pid) == 0) {
sp<NotificationClient> notificationClient = new NotificationClient(pid);