Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit abb7b176 authored by Ryszard Grzesica's avatar Ryszard Grzesica Committed by Takeshi Aimi
Browse files

Fix preventing from heap overwrite in capture command 

There was heap usage error in case of stop of audio framework while
capturePoint was negative. Pointer to reply data was moved but
final silence write was done using original buffer size.
Now silence set is done at the beginning under the condition
that framework has stopped.

Change-Id: I7dab1e922f1813e5fbfd4a64c8b0d15d9465520c
parent 80b72e6f

media/libeffects/visualizer/EffectVisualizer.cpp

+35 −34
Original line number Diff line number Diff line
@@ -544,23 +544,34 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, 
        break;





    case VISUALIZER_CMD_CAPTURE:

        if (pReplyData == NULL || *replySize != pContext->mCaptureSize) {

            ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d pContext->mCaptureSize %d",

                    *replySize, pContext->mCaptureSize);

    case VISUALIZER_CMD_CAPTURE: {

        int32_t captureSize = pContext->mCaptureSize;

        if (pReplyData == NULL || *replySize != captureSize) {

            ALOGV("VISUALIZER_CMD_CAPTURE() error *replySize %d captureSize %d",

                    *replySize, captureSize);

            return -EINVAL;

        }

        if (pContext->mState == VISUALIZER_STATE_ACTIVE) {

            int32_t latencyMs = pContext->mLatency;

            const uint32_t deltaMs = Visualizer_getDeltaTimeMsFromUpdatedTime(pContext);



            // if audio framework has stopped playing audio although the effect is still

            // active we must clear the capture buffer to return silence

            if ((pContext->mLastCaptureIdx == pContext->mCaptureIdx) &&

                    (pContext->mBufferUpdateTime.tv_sec != 0) &&

                    (deltaMs > MAX_STALL_TIME_MS)) {

                    ALOGV("capture going to idle");

                    pContext->mBufferUpdateTime.tv_sec = 0;

                    memset(pReplyData, 0x80, captureSize);

            } else {

                int32_t latencyMs = pContext->mLatency;

                latencyMs -= deltaMs;

                if (latencyMs < 0) {

                    latencyMs = 0;

                }

            const uint32_t deltaSmpl = pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;

                const uint32_t deltaSmpl =

                    pContext->mConfig.inputCfg.samplingRate * latencyMs / 1000;

                int32_t capturePoint = pContext->mCaptureIdx - captureSize - deltaSmpl;



            int32_t capturePoint = pContext->mCaptureIdx - pContext->mCaptureSize - deltaSmpl;

            int32_t captureSize = pContext->mCaptureSize;

                if (capturePoint < 0) {

                    int32_t size = -capturePoint;

                    if (size > captureSize) {
@@ -576,24 +587,14 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize, 
                memcpy(pReplyData,

                       pContext->mCaptureBuf + capturePoint,

                       captureSize);





            // if audio framework has stopped playing audio although the effect is still

            // active we must clear the capture buffer to return silence

            if ((pContext->mLastCaptureIdx == pContext->mCaptureIdx) &&

                    (pContext->mBufferUpdateTime.tv_sec != 0)) {

                if (deltaMs > MAX_STALL_TIME_MS) {

                    ALOGV("capture going to idle");

                    pContext->mBufferUpdateTime.tv_sec = 0;

                    memset(pReplyData, 0x80, pContext->mCaptureSize);

                }

            }



            pContext->mLastCaptureIdx = pContext->mCaptureIdx;

        } else {

            memset(pReplyData, 0x80, pContext->mCaptureSize);

            memset(pReplyData, 0x80, captureSize);

        }



        break;

        } break;



    case VISUALIZER_CMD_MEASURE: {

        uint16_t peakU16 = 0;