Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Unverified Commit b1ecf9cf authored by Phil Burk's avatar Phil Burk Committed by Kevin F. Haggerty
Browse files

RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index 

The index into the FIFO is calculated by using:

    counter % capacity

But the counter is signed and when it is negative the
modulo can have a negative result. That can cause
a negative array index and an access out of bounds.

This is not normally a problem because the counter
is 64 bits and it will not overflow until the audio
has run for a few million years. But a hacker might
be able to modify this internal counter and force
an error.

The solution involves casting to a uint64_t before doing
the modulo.

Note that there may still be a discontinuity when the
counter wraps from -1 to 0. But that will not result
in an out-of-bounds access. It may cause a noise but
an app could simply create a noise directly. So that is
not considered an exploit.

Bug: 120789744
Test: test_atomic_fifo.cpp
Change-Id: I6fe57bcb44528d29b5edb817c592e5e9a8aaf8eb
(cherry picked from commit d1fc53ca)
parent 7fc76d8d
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment