Loading media/libaudioclient/Android.bp +1 −0 Original line number Original line Diff line number Diff line Loading @@ -63,6 +63,7 @@ cc_library_shared { "AudioEffect.cpp", "AudioEffect.cpp", "AudioRecord.cpp", "AudioRecord.cpp", "AudioSanitizer.cpp", "AudioSystem.cpp", "AudioSystem.cpp", "AudioTrack.cpp", "AudioTrack.cpp", "AudioTrackShared.cpp", "AudioTrackShared.cpp", Loading media/libaudioclient/AudioSanitizer.cpp 0 → 100644 +116 −0 Original line number Original line Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <media/AudioSanitizer.h> namespace android { /** returns true if string overflow was prevented by zero termination */ template <size_t size> bool preventStringOverflow(char (&s)[size]) { if (strnlen(s, size) < size) return false; s[size - 1] = '\0'; return true; } status_t safetyNetLog(status_t status, const char *bugNumber) { if (status != NO_ERROR && bugNumber != nullptr) { android_errorWriteLog(0x534e4554, bugNumber); // SafetyNet logging } return status; } status_t AudioSanitizer::sanitizeAudioAttributes( audio_attributes_t *attr, const char *bugNumber) { status_t status = NO_ERROR; const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { status = BAD_VALUE; } attr->tags[tagsMaxSize - 1] = '\0'; return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeEffectDescriptor( effect_descriptor_t *desc, const char *bugNumber) { status_t status = NO_ERROR; if (preventStringOverflow(desc->name) | /* always */ preventStringOverflow(desc->implementor)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPortConfig( struct audio_port_config *config, const char *bugNumber) { status_t status = NO_ERROR; if (config->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(config->ext.device.address)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPort( struct audio_port *port, const char *bugNumber) { status_t status = NO_ERROR; if (preventStringOverflow(port->name)) { status = BAD_VALUE; } if (sanitizeAudioPortConfig(&port->active_config) != NO_ERROR) { status = BAD_VALUE; } if (port->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(port->ext.device.address)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPatch( struct audio_patch *patch, const char *bugNumber) { status_t status = NO_ERROR; if (patch->num_sources > AUDIO_PATCH_PORTS_MAX) { patch->num_sources = AUDIO_PATCH_PORTS_MAX; status = BAD_VALUE; } if (patch->num_sinks > AUDIO_PATCH_PORTS_MAX) { patch->num_sinks = AUDIO_PATCH_PORTS_MAX; status = BAD_VALUE; } for (size_t i = 0; i < patch->num_sources; i++) { if (sanitizeAudioPortConfig(&patch->sources[i]) != NO_ERROR) { status = BAD_VALUE; } } for (size_t i = 0; i < patch->num_sinks; i++) { if (sanitizeAudioPortConfig(&patch->sinks[i]) != NO_ERROR) { status = BAD_VALUE; } } return safetyNetLog(status, bugNumber); } }; // namespace android media/libaudioclient/IAudioFlinger.cpp +27 −7 Original line number Original line Diff line number Diff line Loading @@ -24,6 +24,7 @@ #include <binder/IPCThreadState.h> #include <binder/IPCThreadState.h> #include <binder/Parcel.h> #include <binder/Parcel.h> #include <media/AudioSanitizer.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/TimeCheck.h> #include <mediautils/TimeCheck.h> #include "IAudioFlinger.h" #include "IAudioFlinger.h" Loading Loading @@ -1483,10 +1484,15 @@ status_t BnAudioFlinger::onTransact( case GET_AUDIO_PORT: { case GET_AUDIO_PORT: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_port port = {}; struct audio_port port = {}; if (data.read(&port, sizeof(struct audio_port)) != NO_ERROR) { status_t status = data.read(&port, sizeof(struct audio_port)); if (status != NO_ERROR) { ALOGE("b/23905951"); ALOGE("b/23905951"); return status; } status = AudioSanitizer::sanitizeAudioPort(&port); if (status == NO_ERROR) { status = getAudioPort(&port); } } status_t status = getAudioPort(&port); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&port, sizeof(struct audio_port)); reply->write(&port, sizeof(struct audio_port)); Loading @@ -1496,12 +1502,20 @@ status_t BnAudioFlinger::onTransact( case CREATE_AUDIO_PATCH: { case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_patch patch; struct audio_patch patch; data.read(&patch, sizeof(struct audio_patch)); status_t status = data.read(&patch, sizeof(struct audio_patch)); if (status != NO_ERROR) { return status; } audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { status = data.read(&handle, sizeof(audio_patch_handle_t)); if (status != NO_ERROR) { ALOGE("b/23905951"); ALOGE("b/23905951"); return status; } status = AudioSanitizer::sanitizeAudioPatch(&patch); if (status == NO_ERROR) { status = createAudioPatch(&patch, &handle); } } status_t status = createAudioPatch(&patch, &handle); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&handle, sizeof(audio_patch_handle_t)); reply->write(&handle, sizeof(audio_patch_handle_t)); Loading Loading @@ -1546,8 +1560,14 @@ status_t BnAudioFlinger::onTransact( case SET_AUDIO_PORT_CONFIG: { case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_port_config config; struct audio_port_config config; data.read(&config, sizeof(struct audio_port_config)); status_t status = data.read(&config, sizeof(struct audio_port_config)); status_t status = setAudioPortConfig(&config); if (status != NO_ERROR) { return status; } status = AudioSanitizer::sanitizeAudioPortConfig(&config); if (status == NO_ERROR) { status = setAudioPortConfig(&config); } reply->writeInt32(status); reply->writeInt32(status); return NO_ERROR; return NO_ERROR; } break; } break; Loading media/libaudioclient/IAudioPolicyService.cpp +105 −81 Original line number Original line Diff line number Diff line Loading @@ -26,6 +26,7 @@ #include <binder/IPCThreadState.h> #include <binder/IPCThreadState.h> #include <binder/Parcel.h> #include <binder/Parcel.h> #include <media/AudioEffect.h> #include <media/AudioEffect.h> #include <media/AudioSanitizer.h> #include <media/IAudioPolicyService.h> #include <media/IAudioPolicyService.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/TimeCheck.h> #include <mediautils/TimeCheck.h> Loading Loading @@ -1685,7 +1686,6 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) { if (status != NO_ERROR) { return status; return status; } } sanetizeAudioAttributes(&attr); audio_session_t session = (audio_session_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; bool hasStream = data.readInt32() != 0; bool hasStream = data.readInt32() != 0; Loading @@ -1703,10 +1703,14 @@ status_t BnAudioPolicyService::onTransact( audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_io_handle_t output = 0; audio_io_handle_t output = 0; std::vector<audio_io_handle_t> secondaryOutputs; std::vector<audio_io_handle_t> secondaryOutputs; status = AudioSanitizer::sanitizeAudioAttributes(&attr, "68953950"); if (status == NO_ERROR) { status = getOutputForAttr(&attr, status = getOutputForAttr(&attr, &output, session, &stream, pid, uid, &output, session, &stream, pid, uid, &config, &config, flags, &selectedDeviceId, &portId, &secondaryOutputs); flags, &selectedDeviceId, &portId, &secondaryOutputs); } reply->writeInt32(status); reply->writeInt32(status); status = reply->write(&attr, sizeof(audio_attributes_t)); status = reply->write(&attr, sizeof(audio_attributes_t)); if (status != NO_ERROR) { if (status != NO_ERROR) { Loading Loading @@ -1745,8 +1749,11 @@ status_t BnAudioPolicyService::onTransact( case GET_INPUT_FOR_ATTR: { case GET_INPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); audio_attributes_t attr = {}; audio_attributes_t attr = {}; data.read(&attr, sizeof(audio_attributes_t)); status_t status = data.read(&attr, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attr); if (status != NO_ERROR) { return status; } audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_unique_id_t riid = (audio_unique_id_t)data.readInt32(); audio_unique_id_t riid = (audio_unique_id_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); Loading @@ -1759,9 +1766,13 @@ status_t BnAudioPolicyService::onTransact( audio_input_flags_t flags = (audio_input_flags_t) data.readInt32(); audio_input_flags_t flags = (audio_input_flags_t) data.readInt32(); audio_port_handle_t selectedDeviceId = (audio_port_handle_t) data.readInt32(); audio_port_handle_t selectedDeviceId = (audio_port_handle_t) data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); status_t status = getInputForAttr(&attr, &input, riid, session, pid, uid, status = AudioSanitizer::sanitizeAudioAttributes(&attr, "68953950"); if (status == NO_ERROR) { status = getInputForAttr(&attr, &input, riid, session, pid, uid, opPackageName, &config, opPackageName, &config, flags, &selectedDeviceId, &portId); flags, &selectedDeviceId, &portId); } reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(input); reply->writeInt32(input); Loading Loading @@ -1842,11 +1853,15 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) { if (status != NO_ERROR) { return status; return status; } } int index = data.readInt32(); int index = data.readInt32(); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); reply->writeInt32(static_cast <uint32_t>(setVolumeIndexForAttributes(attributes, status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); index, device))); if (status == NO_ERROR) { status = setVolumeIndexForAttributes(attributes, index, device); } reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } break; } break; Loading @@ -1860,8 +1875,11 @@ status_t BnAudioPolicyService::onTransact( audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getVolumeIndexForAttributes(attributes, index, device); status = getVolumeIndexForAttributes(attributes, index, device); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1877,8 +1895,11 @@ status_t BnAudioPolicyService::onTransact( } } int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getMinVolumeIndexForAttributes(attributes, index); status = getMinVolumeIndexForAttributes(attributes, index); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1894,8 +1915,11 @@ status_t BnAudioPolicyService::onTransact( } } int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getMaxVolumeIndexForAttributes(attributes, index); status = getMaxVolumeIndexForAttributes(attributes, index); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1913,31 +1937,37 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_EFFECT: { case GET_OUTPUT_FOR_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); effect_descriptor_t desc = {}; effect_descriptor_t desc = {}; if (data.read(&desc, sizeof(desc)) != NO_ERROR) { status_t status = data.read(&desc, sizeof(desc)); if (status != NO_ERROR) { android_errorWriteLog(0x534e4554, "73126106"); android_errorWriteLog(0x534e4554, "73126106"); return status; } } (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t output = AUDIO_IO_HANDLE_NONE; audio_io_handle_t output = getOutputForEffect(&desc); status = AudioSanitizer::sanitizeEffectDescriptor(&desc, "73126106"); reply->writeInt32(static_cast <int>(output)); if (status == NO_ERROR) { output = getOutputForEffect(&desc); } reply->writeInt32(static_cast <int32_t>(output)); return NO_ERROR; return NO_ERROR; } break; } break; case REGISTER_EFFECT: { case REGISTER_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); effect_descriptor_t desc = {}; effect_descriptor_t desc = {}; if (data.read(&desc, sizeof(desc)) != NO_ERROR) { status_t status = data.read(&desc, sizeof(desc)); if (status != NO_ERROR) { android_errorWriteLog(0x534e4554, "73126106"); android_errorWriteLog(0x534e4554, "73126106"); return status; } } (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t io = data.readInt32(); audio_io_handle_t io = data.readInt32(); uint32_t strategy = data.readInt32(); uint32_t strategy = data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); int id = data.readInt32(); int id = data.readInt32(); reply->writeInt32(static_cast <int32_t>(registerEffect(&desc, status = AudioSanitizer::sanitizeEffectDescriptor(&desc, "73126106"); io, if (status == NO_ERROR) { strategy, status = registerEffect(&desc, io, strategy, session, id); session, } id))); reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } break; } break; Loading Loading @@ -2046,7 +2076,11 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) return status; if (status != NO_ERROR) return status; status = data.read(&attributes, sizeof(audio_attributes_t)); status = data.read(&attributes, sizeof(audio_attributes_t)); if (status != NO_ERROR) return status; if (status != NO_ERROR) return status; reply->writeInt32(isDirectOutputSupported(config, attributes)); status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = isDirectOutputSupported(config, attributes); } reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } } Loading Loading @@ -2085,10 +2119,15 @@ status_t BnAudioPolicyService::onTransact( case GET_AUDIO_PORT: { case GET_AUDIO_PORT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port port = {}; struct audio_port port = {}; if (data.read(&port, sizeof(struct audio_port)) != NO_ERROR) { status_t status = data.read(&port, sizeof(struct audio_port)); if (status != NO_ERROR) { ALOGE("b/23912202"); ALOGE("b/23912202"); return status; } status = AudioSanitizer::sanitizeAudioPort(&port); if (status == NO_ERROR) { status = getAudioPort(&port); } } status_t status = getAudioPort(&port); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&port, sizeof(struct audio_port)); reply->write(&port, sizeof(struct audio_port)); Loading @@ -2099,12 +2138,20 @@ status_t BnAudioPolicyService::onTransact( case CREATE_AUDIO_PATCH: { case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_patch patch = {}; struct audio_patch patch = {}; data.read(&patch, sizeof(struct audio_patch)); status_t status = data.read(&patch, sizeof(struct audio_patch)); if (status != NO_ERROR) { return status; } audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { status = data.read(&handle, sizeof(audio_patch_handle_t)); if (status != NO_ERROR) { ALOGE("b/23912202"); ALOGE("b/23912202"); return status; } status = AudioSanitizer::sanitizeAudioPatch(&patch); if (status == NO_ERROR) { status = createAudioPatch(&patch, &handle); } } status_t status = createAudioPatch(&patch, &handle); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&handle, sizeof(audio_patch_handle_t)); reply->write(&handle, sizeof(audio_patch_handle_t)); Loading Loading @@ -2154,9 +2201,12 @@ status_t BnAudioPolicyService::onTransact( case SET_AUDIO_PORT_CONFIG: { case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port_config config = {}; struct audio_port_config config = {}; data.read(&config, sizeof(struct audio_port_config)); status_t status = data.read(&config, sizeof(struct audio_port_config)); (void)sanitizeAudioPortConfig(&config); if (status != NO_ERROR) { status_t status = setAudioPortConfig(&config); return status; } (void)AudioSanitizer::sanitizeAudioPortConfig(&config); status = setAudioPortConfig(&config); reply->writeInt32(status); reply->writeInt32(status); return NO_ERROR; return NO_ERROR; } } Loading Loading @@ -2232,13 +2282,25 @@ status_t BnAudioPolicyService::onTransact( case START_AUDIO_SOURCE: { case START_AUDIO_SOURCE: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port_config source = {}; struct audio_port_config source = {}; data.read(&source, sizeof(struct audio_port_config)); status_t status = data.read(&source, sizeof(struct audio_port_config)); (void)sanitizeAudioPortConfig(&source); if (status != NO_ERROR) { return status; } audio_attributes_t attributes = {}; audio_attributes_t attributes = {}; data.read(&attributes, sizeof(audio_attributes_t)); status = data.read(&attributes, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attributes); if (status != NO_ERROR) { return status; } status = AudioSanitizer::sanitizeAudioPortConfig(&source); if (status == NO_ERROR) { // OK to not always sanitize attributes as startAudioSource() is not called if // the port config is invalid. status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "68953950"); } audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; status_t status = startAudioSource(&source, &attributes, &portId); if (status == NO_ERROR) { status = startAudioSource(&source, &attributes, &portId); } reply->writeInt32(status); reply->writeInt32(status); reply->writeInt32(portId); reply->writeInt32(portId); return NO_ERROR; return NO_ERROR; Loading Loading @@ -2762,44 +2824,6 @@ status_t BnAudioPolicyService::onTransact( } } } } /** returns true if string overflow was prevented by zero termination */ template <size_t size> static bool preventStringOverflow(char (&s)[size]) { if (strnlen(s, size) < size) return false; s[size - 1] = '\0'; return true; } void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) { const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { android_errorWriteLog(0x534e4554, "68953950"); // SafetyNet logging } attr->tags[tagsMaxSize - 1] = '\0'; } /** returns BAD_VALUE if sanitization was required. */ status_t BnAudioPolicyService::sanitizeEffectDescriptor(effect_descriptor_t* desc) { if (preventStringOverflow(desc->name) | /* always */ preventStringOverflow(desc->implementor)) { android_errorWriteLog(0x534e4554, "73126106"); // SafetyNet logging return BAD_VALUE; } return NO_ERROR; } /** returns BAD_VALUE if sanitization was required. */ status_t BnAudioPolicyService::sanitizeAudioPortConfig(struct audio_port_config* config) { if (config->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(config->ext.device.address)) { return BAD_VALUE; } return NO_ERROR; } // ---------------------------------------------------------------------------- // ---------------------------------------------------------------------------- } // namespace android } // namespace android media/libaudioclient/include/media/AudioSanitizer.h 0 → 100644 +47 −0 Original line number Original line Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef ANDROID_AUDIO_SANITIZER_H_ #define ANDROID_AUDIO_SANITIZER_H_ #include <system/audio.h> #include <system/audio_effect.h> #include <utils/Errors.h> #include <utils/Log.h> namespace android { class AudioSanitizer { public: static status_t sanitizeAudioAttributes( audio_attributes_t *attr, const char *bugNumber = nullptr); static status_t sanitizeEffectDescriptor( effect_descriptor_t *desc, const char *bugNumber = nullptr); static status_t sanitizeAudioPortConfig( struct audio_port_config *config, const char *bugNumber = nullptr); static status_t sanitizeAudioPort( struct audio_port *port, const char *bugNumber = nullptr); static status_t sanitizeAudioPatch( struct audio_patch *patch, const char *bugNumber = nullptr); }; }; // namespace android #endif /*ANDROID_AUDIO_SANITIZER_H_*/ Loading
media/libaudioclient/Android.bp +1 −0 Original line number Original line Diff line number Diff line Loading @@ -63,6 +63,7 @@ cc_library_shared { "AudioEffect.cpp", "AudioEffect.cpp", "AudioRecord.cpp", "AudioRecord.cpp", "AudioSanitizer.cpp", "AudioSystem.cpp", "AudioSystem.cpp", "AudioTrack.cpp", "AudioTrack.cpp", "AudioTrackShared.cpp", "AudioTrackShared.cpp", Loading
media/libaudioclient/AudioSanitizer.cpp 0 → 100644 +116 −0 Original line number Original line Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <media/AudioSanitizer.h> namespace android { /** returns true if string overflow was prevented by zero termination */ template <size_t size> bool preventStringOverflow(char (&s)[size]) { if (strnlen(s, size) < size) return false; s[size - 1] = '\0'; return true; } status_t safetyNetLog(status_t status, const char *bugNumber) { if (status != NO_ERROR && bugNumber != nullptr) { android_errorWriteLog(0x534e4554, bugNumber); // SafetyNet logging } return status; } status_t AudioSanitizer::sanitizeAudioAttributes( audio_attributes_t *attr, const char *bugNumber) { status_t status = NO_ERROR; const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { status = BAD_VALUE; } attr->tags[tagsMaxSize - 1] = '\0'; return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeEffectDescriptor( effect_descriptor_t *desc, const char *bugNumber) { status_t status = NO_ERROR; if (preventStringOverflow(desc->name) | /* always */ preventStringOverflow(desc->implementor)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPortConfig( struct audio_port_config *config, const char *bugNumber) { status_t status = NO_ERROR; if (config->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(config->ext.device.address)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPort( struct audio_port *port, const char *bugNumber) { status_t status = NO_ERROR; if (preventStringOverflow(port->name)) { status = BAD_VALUE; } if (sanitizeAudioPortConfig(&port->active_config) != NO_ERROR) { status = BAD_VALUE; } if (port->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(port->ext.device.address)) { status = BAD_VALUE; } return safetyNetLog(status, bugNumber); } /** returns BAD_VALUE if sanitization was required. */ status_t AudioSanitizer::sanitizeAudioPatch( struct audio_patch *patch, const char *bugNumber) { status_t status = NO_ERROR; if (patch->num_sources > AUDIO_PATCH_PORTS_MAX) { patch->num_sources = AUDIO_PATCH_PORTS_MAX; status = BAD_VALUE; } if (patch->num_sinks > AUDIO_PATCH_PORTS_MAX) { patch->num_sinks = AUDIO_PATCH_PORTS_MAX; status = BAD_VALUE; } for (size_t i = 0; i < patch->num_sources; i++) { if (sanitizeAudioPortConfig(&patch->sources[i]) != NO_ERROR) { status = BAD_VALUE; } } for (size_t i = 0; i < patch->num_sinks; i++) { if (sanitizeAudioPortConfig(&patch->sinks[i]) != NO_ERROR) { status = BAD_VALUE; } } return safetyNetLog(status, bugNumber); } }; // namespace android
media/libaudioclient/IAudioFlinger.cpp +27 −7 Original line number Original line Diff line number Diff line Loading @@ -24,6 +24,7 @@ #include <binder/IPCThreadState.h> #include <binder/IPCThreadState.h> #include <binder/Parcel.h> #include <binder/Parcel.h> #include <media/AudioSanitizer.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/TimeCheck.h> #include <mediautils/TimeCheck.h> #include "IAudioFlinger.h" #include "IAudioFlinger.h" Loading Loading @@ -1483,10 +1484,15 @@ status_t BnAudioFlinger::onTransact( case GET_AUDIO_PORT: { case GET_AUDIO_PORT: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_port port = {}; struct audio_port port = {}; if (data.read(&port, sizeof(struct audio_port)) != NO_ERROR) { status_t status = data.read(&port, sizeof(struct audio_port)); if (status != NO_ERROR) { ALOGE("b/23905951"); ALOGE("b/23905951"); return status; } status = AudioSanitizer::sanitizeAudioPort(&port); if (status == NO_ERROR) { status = getAudioPort(&port); } } status_t status = getAudioPort(&port); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&port, sizeof(struct audio_port)); reply->write(&port, sizeof(struct audio_port)); Loading @@ -1496,12 +1502,20 @@ status_t BnAudioFlinger::onTransact( case CREATE_AUDIO_PATCH: { case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_patch patch; struct audio_patch patch; data.read(&patch, sizeof(struct audio_patch)); status_t status = data.read(&patch, sizeof(struct audio_patch)); if (status != NO_ERROR) { return status; } audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { status = data.read(&handle, sizeof(audio_patch_handle_t)); if (status != NO_ERROR) { ALOGE("b/23905951"); ALOGE("b/23905951"); return status; } status = AudioSanitizer::sanitizeAudioPatch(&patch); if (status == NO_ERROR) { status = createAudioPatch(&patch, &handle); } } status_t status = createAudioPatch(&patch, &handle); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&handle, sizeof(audio_patch_handle_t)); reply->write(&handle, sizeof(audio_patch_handle_t)); Loading Loading @@ -1546,8 +1560,14 @@ status_t BnAudioFlinger::onTransact( case SET_AUDIO_PORT_CONFIG: { case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioFlinger, data, reply); CHECK_INTERFACE(IAudioFlinger, data, reply); struct audio_port_config config; struct audio_port_config config; data.read(&config, sizeof(struct audio_port_config)); status_t status = data.read(&config, sizeof(struct audio_port_config)); status_t status = setAudioPortConfig(&config); if (status != NO_ERROR) { return status; } status = AudioSanitizer::sanitizeAudioPortConfig(&config); if (status == NO_ERROR) { status = setAudioPortConfig(&config); } reply->writeInt32(status); reply->writeInt32(status); return NO_ERROR; return NO_ERROR; } break; } break; Loading
media/libaudioclient/IAudioPolicyService.cpp +105 −81 Original line number Original line Diff line number Diff line Loading @@ -26,6 +26,7 @@ #include <binder/IPCThreadState.h> #include <binder/IPCThreadState.h> #include <binder/Parcel.h> #include <binder/Parcel.h> #include <media/AudioEffect.h> #include <media/AudioEffect.h> #include <media/AudioSanitizer.h> #include <media/IAudioPolicyService.h> #include <media/IAudioPolicyService.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/ServiceUtilities.h> #include <mediautils/TimeCheck.h> #include <mediautils/TimeCheck.h> Loading Loading @@ -1685,7 +1686,6 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) { if (status != NO_ERROR) { return status; return status; } } sanetizeAudioAttributes(&attr); audio_session_t session = (audio_session_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; audio_stream_type_t stream = AUDIO_STREAM_DEFAULT; bool hasStream = data.readInt32() != 0; bool hasStream = data.readInt32() != 0; Loading @@ -1703,10 +1703,14 @@ status_t BnAudioPolicyService::onTransact( audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_io_handle_t output = 0; audio_io_handle_t output = 0; std::vector<audio_io_handle_t> secondaryOutputs; std::vector<audio_io_handle_t> secondaryOutputs; status = AudioSanitizer::sanitizeAudioAttributes(&attr, "68953950"); if (status == NO_ERROR) { status = getOutputForAttr(&attr, status = getOutputForAttr(&attr, &output, session, &stream, pid, uid, &output, session, &stream, pid, uid, &config, &config, flags, &selectedDeviceId, &portId, &secondaryOutputs); flags, &selectedDeviceId, &portId, &secondaryOutputs); } reply->writeInt32(status); reply->writeInt32(status); status = reply->write(&attr, sizeof(audio_attributes_t)); status = reply->write(&attr, sizeof(audio_attributes_t)); if (status != NO_ERROR) { if (status != NO_ERROR) { Loading Loading @@ -1745,8 +1749,11 @@ status_t BnAudioPolicyService::onTransact( case GET_INPUT_FOR_ATTR: { case GET_INPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); audio_attributes_t attr = {}; audio_attributes_t attr = {}; data.read(&attr, sizeof(audio_attributes_t)); status_t status = data.read(&attr, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attr); if (status != NO_ERROR) { return status; } audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_io_handle_t input = (audio_io_handle_t)data.readInt32(); audio_unique_id_t riid = (audio_unique_id_t)data.readInt32(); audio_unique_id_t riid = (audio_unique_id_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); audio_session_t session = (audio_session_t)data.readInt32(); Loading @@ -1759,9 +1766,13 @@ status_t BnAudioPolicyService::onTransact( audio_input_flags_t flags = (audio_input_flags_t) data.readInt32(); audio_input_flags_t flags = (audio_input_flags_t) data.readInt32(); audio_port_handle_t selectedDeviceId = (audio_port_handle_t) data.readInt32(); audio_port_handle_t selectedDeviceId = (audio_port_handle_t) data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); audio_port_handle_t portId = (audio_port_handle_t)data.readInt32(); status_t status = getInputForAttr(&attr, &input, riid, session, pid, uid, status = AudioSanitizer::sanitizeAudioAttributes(&attr, "68953950"); if (status == NO_ERROR) { status = getInputForAttr(&attr, &input, riid, session, pid, uid, opPackageName, &config, opPackageName, &config, flags, &selectedDeviceId, &portId); flags, &selectedDeviceId, &portId); } reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(input); reply->writeInt32(input); Loading Loading @@ -1842,11 +1853,15 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) { if (status != NO_ERROR) { return status; return status; } } int index = data.readInt32(); int index = data.readInt32(); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); reply->writeInt32(static_cast <uint32_t>(setVolumeIndexForAttributes(attributes, status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); index, device))); if (status == NO_ERROR) { status = setVolumeIndexForAttributes(attributes, index, device); } reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } break; } break; Loading @@ -1860,8 +1875,11 @@ status_t BnAudioPolicyService::onTransact( audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); audio_devices_t device = static_cast <audio_devices_t>(data.readInt32()); int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getVolumeIndexForAttributes(attributes, index, device); status = getVolumeIndexForAttributes(attributes, index, device); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1877,8 +1895,11 @@ status_t BnAudioPolicyService::onTransact( } } int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getMinVolumeIndexForAttributes(attributes, index); status = getMinVolumeIndexForAttributes(attributes, index); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1894,8 +1915,11 @@ status_t BnAudioPolicyService::onTransact( } } int index = 0; int index = 0; status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = getMaxVolumeIndexForAttributes(attributes, index); status = getMaxVolumeIndexForAttributes(attributes, index); reply->writeInt32(static_cast <uint32_t>(status)); } reply->writeInt32(static_cast <int32_t>(status)); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->writeInt32(index); reply->writeInt32(index); } } Loading @@ -1913,31 +1937,37 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_EFFECT: { case GET_OUTPUT_FOR_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); effect_descriptor_t desc = {}; effect_descriptor_t desc = {}; if (data.read(&desc, sizeof(desc)) != NO_ERROR) { status_t status = data.read(&desc, sizeof(desc)); if (status != NO_ERROR) { android_errorWriteLog(0x534e4554, "73126106"); android_errorWriteLog(0x534e4554, "73126106"); return status; } } (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t output = AUDIO_IO_HANDLE_NONE; audio_io_handle_t output = getOutputForEffect(&desc); status = AudioSanitizer::sanitizeEffectDescriptor(&desc, "73126106"); reply->writeInt32(static_cast <int>(output)); if (status == NO_ERROR) { output = getOutputForEffect(&desc); } reply->writeInt32(static_cast <int32_t>(output)); return NO_ERROR; return NO_ERROR; } break; } break; case REGISTER_EFFECT: { case REGISTER_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); effect_descriptor_t desc = {}; effect_descriptor_t desc = {}; if (data.read(&desc, sizeof(desc)) != NO_ERROR) { status_t status = data.read(&desc, sizeof(desc)); if (status != NO_ERROR) { android_errorWriteLog(0x534e4554, "73126106"); android_errorWriteLog(0x534e4554, "73126106"); return status; } } (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t io = data.readInt32(); audio_io_handle_t io = data.readInt32(); uint32_t strategy = data.readInt32(); uint32_t strategy = data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); int id = data.readInt32(); int id = data.readInt32(); reply->writeInt32(static_cast <int32_t>(registerEffect(&desc, status = AudioSanitizer::sanitizeEffectDescriptor(&desc, "73126106"); io, if (status == NO_ERROR) { strategy, status = registerEffect(&desc, io, strategy, session, id); session, } id))); reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } break; } break; Loading Loading @@ -2046,7 +2076,11 @@ status_t BnAudioPolicyService::onTransact( if (status != NO_ERROR) return status; if (status != NO_ERROR) return status; status = data.read(&attributes, sizeof(audio_attributes_t)); status = data.read(&attributes, sizeof(audio_attributes_t)); if (status != NO_ERROR) return status; if (status != NO_ERROR) return status; reply->writeInt32(isDirectOutputSupported(config, attributes)); status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "169572641"); if (status == NO_ERROR) { status = isDirectOutputSupported(config, attributes); } reply->writeInt32(static_cast <int32_t>(status)); return NO_ERROR; return NO_ERROR; } } Loading Loading @@ -2085,10 +2119,15 @@ status_t BnAudioPolicyService::onTransact( case GET_AUDIO_PORT: { case GET_AUDIO_PORT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port port = {}; struct audio_port port = {}; if (data.read(&port, sizeof(struct audio_port)) != NO_ERROR) { status_t status = data.read(&port, sizeof(struct audio_port)); if (status != NO_ERROR) { ALOGE("b/23912202"); ALOGE("b/23912202"); return status; } status = AudioSanitizer::sanitizeAudioPort(&port); if (status == NO_ERROR) { status = getAudioPort(&port); } } status_t status = getAudioPort(&port); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&port, sizeof(struct audio_port)); reply->write(&port, sizeof(struct audio_port)); Loading @@ -2099,12 +2138,20 @@ status_t BnAudioPolicyService::onTransact( case CREATE_AUDIO_PATCH: { case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_patch patch = {}; struct audio_patch patch = {}; data.read(&patch, sizeof(struct audio_patch)); status_t status = data.read(&patch, sizeof(struct audio_patch)); if (status != NO_ERROR) { return status; } audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { status = data.read(&handle, sizeof(audio_patch_handle_t)); if (status != NO_ERROR) { ALOGE("b/23912202"); ALOGE("b/23912202"); return status; } status = AudioSanitizer::sanitizeAudioPatch(&patch); if (status == NO_ERROR) { status = createAudioPatch(&patch, &handle); } } status_t status = createAudioPatch(&patch, &handle); reply->writeInt32(status); reply->writeInt32(status); if (status == NO_ERROR) { if (status == NO_ERROR) { reply->write(&handle, sizeof(audio_patch_handle_t)); reply->write(&handle, sizeof(audio_patch_handle_t)); Loading Loading @@ -2154,9 +2201,12 @@ status_t BnAudioPolicyService::onTransact( case SET_AUDIO_PORT_CONFIG: { case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port_config config = {}; struct audio_port_config config = {}; data.read(&config, sizeof(struct audio_port_config)); status_t status = data.read(&config, sizeof(struct audio_port_config)); (void)sanitizeAudioPortConfig(&config); if (status != NO_ERROR) { status_t status = setAudioPortConfig(&config); return status; } (void)AudioSanitizer::sanitizeAudioPortConfig(&config); status = setAudioPortConfig(&config); reply->writeInt32(status); reply->writeInt32(status); return NO_ERROR; return NO_ERROR; } } Loading Loading @@ -2232,13 +2282,25 @@ status_t BnAudioPolicyService::onTransact( case START_AUDIO_SOURCE: { case START_AUDIO_SOURCE: { CHECK_INTERFACE(IAudioPolicyService, data, reply); CHECK_INTERFACE(IAudioPolicyService, data, reply); struct audio_port_config source = {}; struct audio_port_config source = {}; data.read(&source, sizeof(struct audio_port_config)); status_t status = data.read(&source, sizeof(struct audio_port_config)); (void)sanitizeAudioPortConfig(&source); if (status != NO_ERROR) { return status; } audio_attributes_t attributes = {}; audio_attributes_t attributes = {}; data.read(&attributes, sizeof(audio_attributes_t)); status = data.read(&attributes, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attributes); if (status != NO_ERROR) { return status; } status = AudioSanitizer::sanitizeAudioPortConfig(&source); if (status == NO_ERROR) { // OK to not always sanitize attributes as startAudioSource() is not called if // the port config is invalid. status = AudioSanitizer::sanitizeAudioAttributes(&attributes, "68953950"); } audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; status_t status = startAudioSource(&source, &attributes, &portId); if (status == NO_ERROR) { status = startAudioSource(&source, &attributes, &portId); } reply->writeInt32(status); reply->writeInt32(status); reply->writeInt32(portId); reply->writeInt32(portId); return NO_ERROR; return NO_ERROR; Loading Loading @@ -2762,44 +2824,6 @@ status_t BnAudioPolicyService::onTransact( } } } } /** returns true if string overflow was prevented by zero termination */ template <size_t size> static bool preventStringOverflow(char (&s)[size]) { if (strnlen(s, size) < size) return false; s[size - 1] = '\0'; return true; } void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) { const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; if (strnlen(attr->tags, tagsMaxSize) >= tagsMaxSize) { android_errorWriteLog(0x534e4554, "68953950"); // SafetyNet logging } attr->tags[tagsMaxSize - 1] = '\0'; } /** returns BAD_VALUE if sanitization was required. */ status_t BnAudioPolicyService::sanitizeEffectDescriptor(effect_descriptor_t* desc) { if (preventStringOverflow(desc->name) | /* always */ preventStringOverflow(desc->implementor)) { android_errorWriteLog(0x534e4554, "73126106"); // SafetyNet logging return BAD_VALUE; } return NO_ERROR; } /** returns BAD_VALUE if sanitization was required. */ status_t BnAudioPolicyService::sanitizeAudioPortConfig(struct audio_port_config* config) { if (config->type == AUDIO_PORT_TYPE_DEVICE && preventStringOverflow(config->ext.device.address)) { return BAD_VALUE; } return NO_ERROR; } // ---------------------------------------------------------------------------- // ---------------------------------------------------------------------------- } // namespace android } // namespace android
media/libaudioclient/include/media/AudioSanitizer.h 0 → 100644 +47 −0 Original line number Original line Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef ANDROID_AUDIO_SANITIZER_H_ #define ANDROID_AUDIO_SANITIZER_H_ #include <system/audio.h> #include <system/audio_effect.h> #include <utils/Errors.h> #include <utils/Log.h> namespace android { class AudioSanitizer { public: static status_t sanitizeAudioAttributes( audio_attributes_t *attr, const char *bugNumber = nullptr); static status_t sanitizeEffectDescriptor( effect_descriptor_t *desc, const char *bugNumber = nullptr); static status_t sanitizeAudioPortConfig( struct audio_port_config *config, const char *bugNumber = nullptr); static status_t sanitizeAudioPort( struct audio_port *port, const char *bugNumber = nullptr); static status_t sanitizeAudioPatch( struct audio_patch *patch, const char *bugNumber = nullptr); }; }; // namespace android #endif /*ANDROID_AUDIO_SANITIZER_H_*/
