audio: Add checks to effects feature configs retrieval
The size of the feature config needs to be limited
by the Binder transaction size. This check is enforced
before calling into legacy C API.
Also, fixed invalid calculation of buffer size
in Effect::getSupportedConfigsImpl.
Bug: 240266798
Test: atest VtsHalAudioEffectV7_0TargetTest
Change-Id: I1a1f7931a07e28642967fa68d9a358429138db29
diff --git a/audio/effect/all-versions/default/Effect.cpp b/audio/effect/all-versions/default/Effect.cpp
index def3a3f..b57dc63 100644
--- a/audio/effect/all-versions/default/Effect.cpp
+++ b/audio/effect/all-versions/default/Effect.cpp
@@ -316,6 +316,11 @@
Result Effect::getCurrentConfigImpl(uint32_t featureId, uint32_t configSize,
GetCurrentConfigSuccessCallback onSuccess) {
+ if (configSize > kMaxDataSize - sizeof(uint32_t)) {
+ ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+ android_errorWriteLog(0x534e4554, "240266798");
+ return Result::INVALID_ARGUMENTS;
+ }
uint32_t halCmd = featureId;
std::vector<uint32_t> halResult(alignedSizeIn<uint32_t>(sizeof(uint32_t) + configSize), 0);
uint32_t halResultSize = 0;
@@ -350,8 +355,12 @@
Result Effect::getSupportedConfigsImpl(uint32_t featureId, uint32_t maxConfigs, uint32_t configSize,
GetSupportedConfigsSuccessCallback onSuccess) {
+ if (maxConfigs != 0 && configSize > (kMaxDataSize - 2 * sizeof(uint32_t)) / maxConfigs) {
+ ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+ return Result::INVALID_ARGUMENTS;
+ }
uint32_t halCmd[2] = {featureId, maxConfigs};
- uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * sizeof(configSize);
+ uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * configSize;
std::vector<uint8_t> halResult(static_cast<size_t>(halResultSize), 0);
return sendCommandReturningStatusAndData(
EFFECT_CMD_GET_FEATURE_SUPPORTED_CONFIGS, "GET_FEATURE_SUPPORTED_CONFIGS", sizeof(halCmd),