Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c694ff44 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Add missing nullptr checks for data.readCString() strings 

Protect the Audio Policy Manager by adding extra checks
for data.readCString() strings when parsing / decoding
a Binder transaction.

Also:
 * Moved audio_is_output_device() / audio_is_input_device() checks
   inside handleDeviceConfigChange()
   from the AudioPolicyInterface to the AudioPolicyManager
 * Removed similar redundant checks inside
    AudioPolicyService::setDeviceConnectionState()

Test: code compilation
Change-Id: Ib32a28ba2669b73aaf32b31bb18f41c8dd7d2605
parent 20adbc00

media/libaudioclient/IAudioPolicyService.cpp

+24 −9
Original line number Diff line number Diff line
@@ -835,10 +835,15 @@ status_t BnAudioPolicyService::onTransact( 
                    static_cast <audio_policy_dev_state_t>(data.readInt32());

            const char *device_address = data.readCString();

            const char *device_name = data.readCString();

            if (device_address == nullptr || device_name == nullptr) {

                ALOGE("Bad Binder transaction: SET_DEVICE_CONNECTION_STATE for device %u", device);

                reply->writeInt32(static_cast<int32_t> (BAD_VALUE));

            } else {

                reply->writeInt32(static_cast<uint32_t> (setDeviceConnectionState(device,

                                                                                  state,

                                                                                  device_address,

                                                                                  device_name)));

            }

            return NO_ERROR;

        } break;
@@ -847,8 +852,13 @@ status_t BnAudioPolicyService::onTransact( 
            audio_devices_t device =

                    static_cast<audio_devices_t> (data.readInt32());

            const char *device_address = data.readCString();

            if (device_address == nullptr) {

                ALOGE("Bad Binder transaction: GET_DEVICE_CONNECTION_STATE for device %u", device);

                reply->writeInt32(static_cast<int32_t> (AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE));

            } else {

                reply->writeInt32(static_cast<uint32_t> (getDeviceConnectionState(device,

                                                                                  device_address)));

            }

            return NO_ERROR;

        } break;
@@ -858,9 +868,14 @@ status_t BnAudioPolicyService::onTransact( 
                    static_cast <audio_devices_t>(data.readInt32());

            const char *device_address = data.readCString();

            const char *device_name = data.readCString();

            if (device_address == nullptr || device_name == nullptr) {

                ALOGE("Bad Binder transaction: HANDLE_DEVICE_CONFIG_CHANGE for device %u", device);

                reply->writeInt32(static_cast<int32_t> (BAD_VALUE));

            } else {

                reply->writeInt32(static_cast<uint32_t> (handleDeviceConfigChange(device,

                                                                                  device_address,

                                                                                  device_name)));

            }

            return NO_ERROR;

        } break;

services/audiopolicy/managerdefault/AudioPolicyManager.cpp

+3 −0
Original line number Diff line number Diff line
@@ -342,6 +342,9 @@ status_t AudioPolicyManager::handleDeviceConfigChange(audio_devices_t device, 
    ALOGV("handleDeviceConfigChange(() device: 0x%X, address %s name %s",

          device, device_address, device_name);



    // connect/disconnect only 1 device at a time

    if (!audio_is_output_device(device) && !audio_is_input_device(device)) return BAD_VALUE;



    // Check if the device is currently connected

    sp<DeviceDescriptor> devDesc =

            mHwModules.getDeviceDescriptor(device, device_address, device_name);

services/audiopolicy/service/AudioPolicyInterfaceImpl.cpp

+0 −6
Original line number Diff line number Diff line
@@ -37,9 +37,6 @@ status_t AudioPolicyService::setDeviceConnectionState(audio_devices_t device, 
    if (!settingsAllowed()) {

        return PERMISSION_DENIED;

    }

    if (!audio_is_output_device(device) && !audio_is_input_device(device)) {

        return BAD_VALUE;

    }

    if (state != AUDIO_POLICY_DEVICE_STATE_AVAILABLE &&

            state != AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE) {

        return BAD_VALUE;
@@ -72,9 +69,6 @@ status_t AudioPolicyService::handleDeviceConfigChange(audio_devices_t device, 
    if (!settingsAllowed()) {

        return PERMISSION_DENIED;

    }

    if (!audio_is_output_device(device) && !audio_is_input_device(device)) {

        return BAD_VALUE;

    }



    ALOGV("handleDeviceConfigChange()");

    Mutex::Autolock _l(mLock);