audio: Add checks to effects feature configs retrieval am: 8e3480edfe am: b5a665a326
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/19806116
Change-Id: I0fd3688038a23a73d8f97417a174b0cfb25097bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/audio/effect/all-versions/default/Effect.cpp b/audio/effect/all-versions/default/Effect.cpp
index def3a3f..b57dc63 100644
--- a/audio/effect/all-versions/default/Effect.cpp
+++ b/audio/effect/all-versions/default/Effect.cpp
@@ -316,6 +316,11 @@
Result Effect::getCurrentConfigImpl(uint32_t featureId, uint32_t configSize,
GetCurrentConfigSuccessCallback onSuccess) {
+ if (configSize > kMaxDataSize - sizeof(uint32_t)) {
+ ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+ android_errorWriteLog(0x534e4554, "240266798");
+ return Result::INVALID_ARGUMENTS;
+ }
uint32_t halCmd = featureId;
std::vector<uint32_t> halResult(alignedSizeIn<uint32_t>(sizeof(uint32_t) + configSize), 0);
uint32_t halResultSize = 0;
@@ -350,8 +355,12 @@
Result Effect::getSupportedConfigsImpl(uint32_t featureId, uint32_t maxConfigs, uint32_t configSize,
GetSupportedConfigsSuccessCallback onSuccess) {
+ if (maxConfigs != 0 && configSize > (kMaxDataSize - 2 * sizeof(uint32_t)) / maxConfigs) {
+ ALOGE("%s: Config size is too big: %" PRIu32, __func__, configSize);
+ return Result::INVALID_ARGUMENTS;
+ }
uint32_t halCmd[2] = {featureId, maxConfigs};
- uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * sizeof(configSize);
+ uint32_t halResultSize = 2 * sizeof(uint32_t) + maxConfigs * configSize;
std::vector<uint8_t> halResult(static_cast<size_t>(halResultSize), 0);
return sendCommandReturningStatusAndData(
EFFECT_CMD_GET_FEATURE_SUPPORTED_CONFIGS, "GET_FEATURE_SUPPORTED_CONFIGS", sizeof(halCmd),
diff --git a/audio/effect/all-versions/default/Effect.h b/audio/effect/all-versions/default/Effect.h
index f0b65df..5d8dccc 100644
--- a/audio/effect/all-versions/default/Effect.h
+++ b/audio/effect/all-versions/default/Effect.h
@@ -184,6 +184,9 @@
using GetSupportedConfigsSuccessCallback =
std::function<void(uint32_t supportedConfigs, void* configsData)>;
+ // Sets the limit on the maximum size of vendor-provided data structures.
+ static constexpr size_t kMaxDataSize = 1 << 20;
+
static const char* sContextResultOfCommand;
static const char* sContextCallToCommand;
static const char* sContextCallFunction;
diff --git a/audio/effect/all-versions/vts/functional/VtsHalAudioEffectTargetTest.cpp b/audio/effect/all-versions/vts/functional/VtsHalAudioEffectTargetTest.cpp
index c808ff6..d95bb06 100644
--- a/audio/effect/all-versions/vts/functional/VtsHalAudioEffectTargetTest.cpp
+++ b/audio/effect/all-versions/vts/functional/VtsHalAudioEffectTargetTest.cpp
@@ -665,6 +665,37 @@
EXPECT_TRUE(ret.isOk());
}
+TEST_P(AudioEffectHidlTest, GetSupportedConfigsForFeatureInvalidConfigSize) {
+ description("Verify that GetSupportedConfigsForFeature caps the maximum config size");
+ const bool isNewDeviceLaunchingOnTPlus = property_get_int32("ro.vendor.api_level", 0) >= 33;
+ if (!isNewDeviceLaunchingOnTPlus) {
+ GTEST_SKIP() << "The test only applies to devices launching on T or later";
+ }
+ // Use very large size to ensure that the service does not crash.
+ const uint32_t veryLargeConfigSize = std::numeric_limits<uint32_t>::max() - 100;
+ Result retval = Result::OK;
+ Return<void> ret = effect->getSupportedConfigsForFeature(
+ 0, 1, veryLargeConfigSize,
+ [&](Result r, uint32_t, const hidl_vec<uint8_t>&) { retval = r; });
+ EXPECT_TRUE(ret.isOk());
+ EXPECT_EQ(Result::INVALID_ARGUMENTS, retval);
+}
+
+TEST_P(AudioEffectHidlTest, GetCurrentConfigForFeatureInvalidConfigSize) {
+ description("Verify that GetCurrentConfigForFeature caps the maximum config size");
+ const bool isNewDeviceLaunchingOnTPlus = property_get_int32("ro.vendor.api_level", 0) >= 33;
+ if (!isNewDeviceLaunchingOnTPlus) {
+ GTEST_SKIP() << "The test only applies to devices launching on T or later";
+ }
+ // Use very large size to ensure that the service does not crash.
+ const uint32_t veryLargeConfigSize = std::numeric_limits<uint32_t>::max() - 100;
+ Result retval = Result::OK;
+ Return<void> ret = effect->getCurrentConfigForFeature(
+ 0, veryLargeConfigSize, [&](Result r, const hidl_vec<uint8_t>&) { retval = r; });
+ EXPECT_TRUE(ret.isOk());
+ EXPECT_EQ(Result::INVALID_ARGUMENTS, retval);
+}
+
// The main test class for Equalizer Audio Effect HIDL HAL.
class EqualizerAudioEffectHidlTest : public AudioEffectHidlTest {
public: