Loading media/utils/ServiceUtilities.cpp +27 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,8 @@ * limitations under the License. */ #define LOG_TAG "ServiceUtilities" #include <binder/AppOpsManager.h> #include <binder/IPCThreadState.h> #include <binder/IServiceManager.h> Loading Loading @@ -172,4 +174,29 @@ bool modifyPhoneStateAllowed(pid_t pid, uid_t uid) { return ok; } status_t checkIMemory(const sp<IMemory>& iMemory) { if (iMemory == 0) { ALOGE("%s check failed: NULL IMemory pointer", __FUNCTION__); return BAD_VALUE; } sp<IMemoryHeap> heap = iMemory->getMemory(); if (heap == 0) { ALOGE("%s check failed: NULL heap pointer", __FUNCTION__); return BAD_VALUE; } off_t size = lseek(heap->getHeapID(), 0, SEEK_END); lseek(heap->getHeapID(), 0, SEEK_SET); if (iMemory->pointer() == NULL || size < (off_t)iMemory->size()) { ALOGE("%s check failed: pointer %p size %zu fd size %u", __FUNCTION__, iMemory->pointer(), iMemory->size(), (uint32_t)size); return BAD_VALUE; } return NO_ERROR; } } // namespace android media/utils/include/mediautils/ServiceUtilities.h +2 −0 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ #include <unistd.h> #include <binder/IMemory.h> #include <binder/PermissionController.h> #include <cutils/multiuser.h> #include <private/android_filesystem_config.h> Loading Loading @@ -69,4 +70,5 @@ bool settingsAllowed(); bool modifyAudioRoutingAllowed(); bool dumpAllowed(); bool modifyPhoneStateAllowed(pid_t pid, uid_t uid); status_t checkIMemory(const sp<IMemory>& iMemory); } services/audioflinger/Threads.cpp +7 −1 Original line number Diff line number Diff line Loading @@ -1891,11 +1891,17 @@ sp<AudioFlinger::PlaybackThread::Track> AudioFlinger::PlaybackThread::createTrac status_t lStatus; audio_output_flags_t outputFlags = mOutput->flags; audio_output_flags_t requestedFlags = *flags; uint32_t sampleRate; if (sharedBuffer != 0 && checkIMemory(sharedBuffer) != NO_ERROR) { lStatus = BAD_VALUE; goto Exit; } if (*pSampleRate == 0) { *pSampleRate = mSampleRate; } uint32_t sampleRate = *pSampleRate; sampleRate = *pSampleRate; // special case for FAST flag considered OK if fast mixer is present if (hasFastMixer()) { Loading services/soundtrigger/SoundTriggerHwService.cpp +7 −9 Original line number Diff line number Diff line Loading @@ -562,10 +562,7 @@ status_t SoundTriggerHwService::Module::loadSoundModel(const sp<IMemory>& modelM if (mHalInterface == 0) { return NO_INIT; } if (modelMemory == 0 || modelMemory->pointer() == NULL) { ALOGE("loadSoundModel() modelMemory is 0 or has NULL pointer()"); return BAD_VALUE; } struct sound_trigger_sound_model *sound_model = (struct sound_trigger_sound_model *)modelMemory->pointer(); Loading Loading @@ -659,11 +656,6 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha if (mHalInterface == 0) { return NO_INIT; } if (dataMemory == 0 || dataMemory->pointer() == NULL) { ALOGE("startRecognition() dataMemory is 0 or has NULL pointer()"); return BAD_VALUE; } struct sound_trigger_recognition_config *config = (struct sound_trigger_recognition_config *)dataMemory->pointer(); Loading Loading @@ -966,6 +958,9 @@ status_t SoundTriggerHwService::ModuleClient::loadSoundModel(const sp<IMemory>& IPCThreadState::self()->getCallingUid())) { return PERMISSION_DENIED; } if (checkIMemory(modelMemory) != NO_ERROR) { return BAD_VALUE; } sp<Module> module = mModule.promote(); if (module == 0) { Loading Loading @@ -997,6 +992,9 @@ status_t SoundTriggerHwService::ModuleClient::startRecognition(sound_model_handl IPCThreadState::self()->getCallingUid())) { return PERMISSION_DENIED; } if (checkIMemory(dataMemory) != NO_ERROR) { return BAD_VALUE; } sp<Module> module = mModule.promote(); if (module == 0) { Loading Loading
media/utils/ServiceUtilities.cpp +27 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,8 @@ * limitations under the License. */ #define LOG_TAG "ServiceUtilities" #include <binder/AppOpsManager.h> #include <binder/IPCThreadState.h> #include <binder/IServiceManager.h> Loading Loading @@ -172,4 +174,29 @@ bool modifyPhoneStateAllowed(pid_t pid, uid_t uid) { return ok; } status_t checkIMemory(const sp<IMemory>& iMemory) { if (iMemory == 0) { ALOGE("%s check failed: NULL IMemory pointer", __FUNCTION__); return BAD_VALUE; } sp<IMemoryHeap> heap = iMemory->getMemory(); if (heap == 0) { ALOGE("%s check failed: NULL heap pointer", __FUNCTION__); return BAD_VALUE; } off_t size = lseek(heap->getHeapID(), 0, SEEK_END); lseek(heap->getHeapID(), 0, SEEK_SET); if (iMemory->pointer() == NULL || size < (off_t)iMemory->size()) { ALOGE("%s check failed: pointer %p size %zu fd size %u", __FUNCTION__, iMemory->pointer(), iMemory->size(), (uint32_t)size); return BAD_VALUE; } return NO_ERROR; } } // namespace android
media/utils/include/mediautils/ServiceUtilities.h +2 −0 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ #include <unistd.h> #include <binder/IMemory.h> #include <binder/PermissionController.h> #include <cutils/multiuser.h> #include <private/android_filesystem_config.h> Loading Loading @@ -69,4 +70,5 @@ bool settingsAllowed(); bool modifyAudioRoutingAllowed(); bool dumpAllowed(); bool modifyPhoneStateAllowed(pid_t pid, uid_t uid); status_t checkIMemory(const sp<IMemory>& iMemory); }
services/audioflinger/Threads.cpp +7 −1 Original line number Diff line number Diff line Loading @@ -1891,11 +1891,17 @@ sp<AudioFlinger::PlaybackThread::Track> AudioFlinger::PlaybackThread::createTrac status_t lStatus; audio_output_flags_t outputFlags = mOutput->flags; audio_output_flags_t requestedFlags = *flags; uint32_t sampleRate; if (sharedBuffer != 0 && checkIMemory(sharedBuffer) != NO_ERROR) { lStatus = BAD_VALUE; goto Exit; } if (*pSampleRate == 0) { *pSampleRate = mSampleRate; } uint32_t sampleRate = *pSampleRate; sampleRate = *pSampleRate; // special case for FAST flag considered OK if fast mixer is present if (hasFastMixer()) { Loading
services/soundtrigger/SoundTriggerHwService.cpp +7 −9 Original line number Diff line number Diff line Loading @@ -562,10 +562,7 @@ status_t SoundTriggerHwService::Module::loadSoundModel(const sp<IMemory>& modelM if (mHalInterface == 0) { return NO_INIT; } if (modelMemory == 0 || modelMemory->pointer() == NULL) { ALOGE("loadSoundModel() modelMemory is 0 or has NULL pointer()"); return BAD_VALUE; } struct sound_trigger_sound_model *sound_model = (struct sound_trigger_sound_model *)modelMemory->pointer(); Loading Loading @@ -659,11 +656,6 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha if (mHalInterface == 0) { return NO_INIT; } if (dataMemory == 0 || dataMemory->pointer() == NULL) { ALOGE("startRecognition() dataMemory is 0 or has NULL pointer()"); return BAD_VALUE; } struct sound_trigger_recognition_config *config = (struct sound_trigger_recognition_config *)dataMemory->pointer(); Loading Loading @@ -966,6 +958,9 @@ status_t SoundTriggerHwService::ModuleClient::loadSoundModel(const sp<IMemory>& IPCThreadState::self()->getCallingUid())) { return PERMISSION_DENIED; } if (checkIMemory(modelMemory) != NO_ERROR) { return BAD_VALUE; } sp<Module> module = mModule.promote(); if (module == 0) { Loading Loading @@ -997,6 +992,9 @@ status_t SoundTriggerHwService::ModuleClient::startRecognition(sound_model_handl IPCThreadState::self()->getCallingUid())) { return PERMISSION_DENIED; } if (checkIMemory(dataMemory) != NO_ERROR) { return BAD_VALUE; } sp<Module> module = mModule.promote(); if (module == 0) { Loading
