agm: fix multiple out of bound read issues in agm hidl interface
Change-Id: I0d7f0af5ec241d4e8efe44f22ba405b5f0a6735c
diff --git a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
index b8dd8c7..78b83f0 100644
--- a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
+++ b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
@@ -541,6 +541,10 @@
ALOGV("%s called with aif_id = %d, size = %d\n", __func__, aif_id, size);
uint8_t * metadata_l = NULL;
int32_t ret = 0;
+
+ if (metadata.size() < size) {
+ return -EINVAL;
+ }
metadata_l = (uint8_t *) calloc(1,size);
if (metadata_l == NULL) {
ALOGE("%s: Cannot allocate memory for metadata_l\n", __func__);
@@ -558,6 +562,11 @@
ALOGV("%s : session_id = %d, size = %d\n", __func__, session_id, size);
uint8_t * metadata_l = NULL;
int32_t ret = 0;
+
+ if (metadata.size() < size) {
+ return -EINVAL;
+ }
+
metadata_l = (uint8_t *) calloc(1,size);
if (metadata_l == NULL) {
ALOGE("%s: Cannot allocate memory for metadata_l\n", __func__);
@@ -581,6 +590,11 @@
session_id, aif_id, size);
uint8_t * metadata_l = NULL;
int32_t ret = 0;
+
+ if (metadata.size() < size) {
+ return -EINVAL;
+ }
+
metadata_l = (uint8_t *) calloc(1,size);
if (metadata_l == NULL) {
ALOGE("%s: Cannot allocate memory for metadata_l\n", __func__);
@@ -652,6 +666,11 @@
int32_t ret = 0;
hidl_vec<uint8_t> payload_hidl;
+ if (buff.size() < size) {
+ _hidl_cb(-EINVAL, size);
+ return Void();
+ }
+
payload_local = (uint8_t *) calloc (1, size);
if (payload_local == NULL) {
ALOGE("%s: Cannot allocate memory for payload_local\n", __func__);
@@ -707,6 +726,11 @@
int32_t ret = 0;
ALOGV("%s : aif_id =%d, size = %d\n", __func__, aif_id, size);
+
+ if (payload.size() < size) {
+ return -EINVAL;
+ }
+
payload_local = (void*) calloc (1,size);
if (payload_local == NULL) {
ALOGE("%s: calloc failed for payload_local\n", __func__);
@@ -727,6 +751,11 @@
size_t size_local = (size_t) size;
void * payload_local = NULL;
int32_t ret = 0;
+
+ if (payload.size() < size) {
+ return -EINVAL;
+ }
+
payload_local = (void*) calloc (1,size);
if (payload_local == NULL) {
ALOGE("%s: Cannot allocate memory for payload_local\n", __func__);
@@ -778,6 +807,11 @@
size_t size_local = (size_t) size;
void * payload_local = NULL;
int32_t ret = 0;
+
+ if (payload.size() < size) {
+ return -EINVAL;
+ }
+
payload_local = (void*) calloc (1,size);
if (payload_local == NULL) {
ALOGE("%s: Cannot allocate memory for payload_local\n", __func__);
@@ -826,6 +860,10 @@
size_t size_local = (size_t) size;
void * payload_local = NULL;
int32_t ret = 0;
+
+ if (payload.size() < size) {
+ return -EINVAL;
+ }
payload_local = (void*) calloc(1,size);
if (payload_local == NULL) {
ALOGE("%s: Cannot allocate memory for payload_local\n", __func__);
@@ -1070,6 +1108,12 @@
ipc_agm_session_write_cb _hidl_cb) {
ALOGV("%s called with handle = %llx \n", __func__, (unsigned long long) hndl);
void* buffer = NULL;
+
+ if (buff.size() < count) {
+ _hidl_cb(-EINVAL, count);
+ return Void();
+ }
+
buffer = (void*) calloc(1,count);
if (buffer == NULL) {
ALOGE("%s: Cannot allocate memory for buffer\n", __func__);
@@ -1419,6 +1463,10 @@
buf.addr = nullptr;
buf.metadata = nullptr;
+ if (buff_hidl.data()->metadata.size() < buff_hidl.data()->metadata_size) {
+ _hidl_cb(-EINVAL, buff_hidl.data()->metadata_size);
+ return Void();
+ }
bufSize = buff_hidl.data()->size;
buf.addr = (uint8_t *)calloc(1, bufSize);
if (!buf.addr) {