Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef7eaaf8 authored by Phil Burk's avatar Phil Burk
Browse files

aaudio: protect against null client 

AAudioService would fail if a null client was passed.
Two null checks were added. One where we know the null
client first appears. And one where the client is first used
in case other calls are passing null.

Bug: 116230453
Test: Bug has a POC apk that triggers the bug.
Test: Look for messages like:
Test:      AAudio  : BnAAudioService::onTransact() client is NULL!
Change-Id: Id9c4fc154226ab40df97335da8bc9361cfc99a73
parent 2ddd17ca

media/libaaudio/src/binding/IAAudioService.cpp

+9 −2
Original line number Original line Diff line number Diff line
@@ -251,8 +251,15 @@ status_t BnAAudioService::onTransact(uint32_t code, const Parcel& data, 
            CHECK_INTERFACE(IAAudioService, data, reply);

            CHECK_INTERFACE(IAAudioService, data, reply);

            sp<IAAudioClient> client = interface_cast<IAAudioClient>(

            sp<IAAudioClient> client = interface_cast<IAAudioClient>(

                    data.readStrongBinder());

                    data.readStrongBinder());

            // readStrongBinder() can return null

            if (client.get() == nullptr) {

                ALOGE("BnAAudioService::%s(REGISTER_CLIENT) client is NULL!", __func__);

                android_errorWriteLog(0x534e4554, "116230453");

                return DEAD_OBJECT;

            } else {

                registerClient(client);

                registerClient(client);

                return NO_ERROR;

                return NO_ERROR;

            }

        } break;

        } break;





        case OPEN_STREAM: {

        case OPEN_STREAM: {

services/oboeservice/AAudioClientTracker.cpp

+6 −0
Original line number Original line Diff line number Diff line
@@ -67,6 +67,12 @@ aaudio_result_t AAudioClientTracker::registerClient(pid_t pid, 
                                         const sp<IAAudioClient>& client) {

                                         const sp<IAAudioClient>& client) {

    ALOGV("registerClient(), calling pid = %d, getpid() = %d\n", pid, getpid());

    ALOGV("registerClient(), calling pid = %d, getpid() = %d\n", pid, getpid());





    if (client.get() == nullptr) {

        ALOGE("AAudioClientTracker::%s() client is NULL!", __func__);

        android_errorWriteLog(0x534e4554, "116230453");

        return AAUDIO_ERROR_NULL;

    }



    std::lock_guard<std::mutex> lock(mLock);

    std::lock_guard<std::mutex> lock(mLock);

    if (mNotificationClients.count(pid) == 0) {

    if (mNotificationClients.count(pid) == 0) {

        sp<NotificationClient> notificationClient = new NotificationClient(pid);

        sp<NotificationClient> notificationClient = new NotificationClient(pid);