Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9262496a authored by Andy Hung's avatar Andy Hung Committed by android-build-merger
Browse files

Merge "AudioFlinger: Check framecount overflow when creating track" into... 

Merge "AudioFlinger: Check framecount overflow when creating track" into lmp-dev am: 51a3483e am: 5dc0e88c am: 6d4b5fc3 am: 5562d704 am: 3fb4149e
am: 78ec3327

Change-Id: I50a7b9f86a494bff6aa43e719e5c819eb0c191ae
parents 3b57c387 78ec3327

services/audioflinger/Tracks.cpp

+16 −1
Original line number Diff line number Diff line
@@ -113,9 +113,24 @@ AudioFlinger::ThreadBase::TrackBase::TrackBase( 
    mUid = clientUid;



    // ALOGD("Creating track with %d buffers @ %d bytes", bufferCount, bufferSize);



    size_t bufferSize = buffer == NULL ? roundup(frameCount) : frameCount;

    // check overflow when computing bufferSize due to multiplication by mFrameSize.

    if (bufferSize < frameCount  // roundup rounds down for values above UINT_MAX / 2

            || mFrameSize == 0   // format needs to be correct

            || bufferSize > SIZE_MAX / mFrameSize) {

        android_errorWriteLog(0x534e4554, "34749571");

        return;

    }

    bufferSize *= mFrameSize;



    size_t size = sizeof(audio_track_cblk_t);

    size_t bufferSize = (buffer == NULL ? roundup(frameCount) : frameCount) * mFrameSize;

    if (buffer == NULL && alloc == ALLOC_CBLK) {

        // check overflow when computing allocation size for streaming tracks.

        if (size > SIZE_MAX - bufferSize) {

            android_errorWriteLog(0x534e4554, "34749571");

            return;

        }

        size += bufferSize;

    }