Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fd56e815 authored by Dean Wheatley's avatar Dean Wheatley Committed by Andy Hung
Browse files

Fix signed integer overflow 

The operation "mRsmpInRear += framesRead;" would overflow
the 32-bit variables within 12 minutes for MSD HAL StreamIn IEC61937
MAT 2.0 framed streams (that generate 61440 bytes per 20 milliseconds).

Test: enable integer_overflow diagnostics, enable MSD HAL with IEC
      MAT patch, wait for 12 minutes for UBSan crash, and check record
      thread frame counts have exceeded 2^31.
Change-Id: I9925bf39a1e3d910850efef859e0a412962391ac
parent b7c14e4c

services/audioflinger/Threads.cpp

+1 −1
Original line number Diff line number Diff line
@@ -7429,7 +7429,7 @@ reacquire_wakelock: 
                        (framesRead - part1) * mFrameSize);

            }

        }

        rear = mRsmpInRear += framesRead;

        mRsmpInRear = audio_utils::safe_add_overflow(mRsmpInRear, (int32_t)framesRead);



        size = activeTracks.size();