RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index
The index into the FIFO is calculated by using: counter % capacity But the counter is signed and when it is negative the modulo can have a negative result. That can cause a negative array index and an access out of bounds. This is not normally a problem because the counter is 64 bits and it will not overflow until the audio has run for a few million years. But a hacker might be able to modify this internal counter and force an error. The solution involves casting to a uint64_t before doing the modulo. Note that there may still be a discontinuity when the counter wraps from -1 to 0. But that will not result in an out-of-bounds access. It may cause a noise but an app could simply create a noise directly. So that is not considered an exploit. Bug: 120789744 Test: test_atomic_fifo.cpp Change-Id: I6fe57bcb44528d29b5edb817c592e5e9a8aaf8eb
Loading
Please register or sign in to comment