Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0851b451 authored by Dan Pasanen's avatar Dan Pasanen
Browse files

Merge tag 'android-7.1.1_r21' into cm-14.1 

Android 7.1.1 release 21

# gpg: Signature made Wed 01 Feb 2017 04:40:16 PM CST
# gpg:                using DSA key E8AD3F819AB10E78
# gpg: Can't check signature: No public key
parents a3daed99 edc723b5

media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

+21 −6
Original line number Diff line number Diff line
@@ -3127,10 +3127,6 @@ int Effect_command(effect_handle_t self, 
            //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");



            effect_param_t *p = (effect_param_t *)pCmdData;

            if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                return -EINVAL;

            }

            if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||

                    cmdSize < (sizeof(effect_param_t) + p->psize) ||

                    pReplyData == NULL || replySize == NULL ||
@@ -3138,13 +3134,32 @@ int Effect_command(effect_handle_t self, 
                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR");

                return -EINVAL;

            }

            if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {

                android_errorWriteLog(0x534e4554, "26347509");

                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big");

                return -EINVAL;

            }

            uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) *

                    sizeof(int32_t);

            if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) ||

                (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize <

                    p->vsize)) {

                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big");

                return -EINVAL;

            }

            uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize;

            if (*replySize < expectedReplySize) {

                ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes",

                        expectedReplySize, *replySize);

                android_errorWriteLog(0x534e4554, "32705438");

                return -EINVAL;

            }



            memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize);



            p = (effect_param_t *)pReplyData;



            int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);



            uint32_t voffset = paddedParamSize;

            if(pContext->EffectType == LVM_BASS_BOOST){

                p->status = android::BassBoost_getParameter(pContext,

                                                            p->data,

media/libmedia/IEffect.cpp

+12 −0
Original line number Diff line number Diff line
@@ -25,6 +25,9 @@ 


namespace android {



// Maximum command/reply size expected

#define EFFECT_PARAM_SIZE_MAX       65536



enum {

    ENABLE = IBinder::FIRST_CALL_TRANSACTION,

    DISABLE,
@@ -156,6 +159,10 @@ status_t BnEffect::onTransact( 
            uint32_t cmdSize = data.readInt32();

            char *cmd = NULL;

            if (cmdSize) {

                if (cmdSize > EFFECT_PARAM_SIZE_MAX) {

                    reply->writeInt32(NO_MEMORY);

                    return NO_ERROR;

                }

                cmd = (char *)calloc(cmdSize, 1);

                if (cmd == NULL) {

                    reply->writeInt32(NO_MEMORY);
@@ -167,6 +174,11 @@ status_t BnEffect::onTransact( 
            uint32_t replySz = replySize;

            char *resp = NULL;

            if (replySize) {

                if (replySize > EFFECT_PARAM_SIZE_MAX) {

                    free(cmd);

                    reply->writeInt32(NO_MEMORY);

                    return NO_ERROR;

                }

                resp = (char *)calloc(replySize, 1);

                if (resp == NULL) {

                    free(cmd);

services/audioflinger/Effects.cpp

+54 −19
Original line number Diff line number Diff line
@@ -626,6 +626,22 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, 
        android_errorWriteLog(0x534e4554, "32438594");

        return -EINVAL;

    }

    if (cmdCode == EFFECT_CMD_GET_PARAM &&

        (sizeof(effect_param_t) > *replySize

          || ((effect_param_t *)pCmdData)->psize > *replySize

                                                   - sizeof(effect_param_t)

          || ((effect_param_t *)pCmdData)->vsize > *replySize

                                                   - sizeof(effect_param_t)

                                                   - ((effect_param_t *)pCmdData)->psize

          || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) >

                                                   *replySize

                                                   - sizeof(effect_param_t)

                                                   - ((effect_param_t *)pCmdData)->psize

                                                   - ((effect_param_t *)pCmdData)->vsize)) {

        ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: reply size inconsistent");

                     android_errorWriteLog(0x534e4554, "32705438");

        return -EINVAL;

    }

    if ((cmdCode == EFFECT_CMD_SET_PARAM

            || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) &&  // DEFERRED not generally used

        (sizeof(effect_param_t) > cmdSize
@@ -1314,36 +1330,54 @@ status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode, 
        // particular client process:  no risk to block the whole media server process or mixer

        // threads if we are stuck here

        Mutex::Autolock _l(mCblk->lock);

        if (mCblk->clientIndex > EFFECT_PARAM_BUFFER_SIZE ||

            mCblk->serverIndex > EFFECT_PARAM_BUFFER_SIZE) {



        // keep local copy of index in case of client corruption b/32220769

        const uint32_t clientIndex = mCblk->clientIndex;

        const uint32_t serverIndex = mCblk->serverIndex;

        if (clientIndex > EFFECT_PARAM_BUFFER_SIZE ||

            serverIndex > EFFECT_PARAM_BUFFER_SIZE) {

            mCblk->serverIndex = 0;

            mCblk->clientIndex = 0;

            return BAD_VALUE;

        }

        status_t status = NO_ERROR;

        while (mCblk->serverIndex < mCblk->clientIndex) {

            int reply;

            uint32_t rsize = sizeof(int);

            int *p = (int *)(mBuffer + mCblk->serverIndex);

            int size = *p++;

            if (((uint8_t *)p + size) > mBuffer + mCblk->clientIndex) {

        effect_param_t *param = NULL;

        for (uint32_t index = serverIndex; index < clientIndex;) {

            int *p = (int *)(mBuffer + index);

            const int size = *p++;

            if (size < 0

                    || size > EFFECT_PARAM_BUFFER_SIZE

                    || ((uint8_t *)p + size) > mBuffer + clientIndex) {

                ALOGW("command(): invalid parameter block size");

                status = BAD_VALUE;

                break;

            }

            effect_param_t *param = (effect_param_t *)p;

            if (param->psize == 0 || param->vsize == 0) {

                ALOGW("command(): null parameter or value size");

                mCblk->serverIndex += size;

                continue;



            // copy to local memory in case of client corruption b/32220769

            param = (effect_param_t *)realloc(param, size);

            if (param == NULL) {

                ALOGW("command(): out of memory");

                status = NO_MEMORY;

                break;

            }

            uint32_t psize = sizeof(effect_param_t) +

                             ((param->psize - 1) / sizeof(int) + 1) * sizeof(int) +

                             param->vsize;

            memcpy(param, p, size);



            int reply = 0;

            uint32_t rsize = sizeof(reply);

            status_t ret = mEffect->command(EFFECT_CMD_SET_PARAM,

                                            psize,

                                            p,

                                            size,

                                            param,

                                            &rsize,

                                            &reply);



            // verify shared memory: server index shouldn't change; client index can't go back.

            if (serverIndex != mCblk->serverIndex

                    || clientIndex > mCblk->clientIndex) {

                android_errorWriteLog(0x534e4554, "32220769");

                status = BAD_VALUE;

                break;

            }



            // stop at first error encountered

            if (ret != NO_ERROR) {

                status = ret;
@@ -1353,8 +1387,9 @@ status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode, 
                *(int *)pReplyData = reply;

                break;

            }

            mCblk->serverIndex += size;

            index += size;

        }

        free(param);

        mCblk->serverIndex = 0;

        mCblk->clientIndex = 0;

        return status;