Merge "service: metadata: Add checks for heap overflow"
diff --git a/ipc/DBus/agm_server/src/agm-dbus-utils.cpp b/ipc/DBus/agm_server/src/agm-dbus-utils.cpp
index d5616be..e16baaf 100644
--- a/ipc/DBus/agm_server/src/agm-dbus-utils.cpp
+++ b/ipc/DBus/agm_server/src/agm-dbus-utils.cpp
@@ -496,6 +496,10 @@
if ((object = (agm_dbus_object *)
g_hash_table_lookup(conn->objects, dbus_obj_path)) == NULL) {
object = (agm_dbus_object *)malloc(sizeof(agm_dbus_object));
+ if (object == NULL) {
+ AGM_LOGE("object is NULL\n");
+ goto object_malloc_failed;
+ }
object->obj_path = dbus_obj_path;
object->interfaces = g_hash_table_new_full(g_str_hash,
g_str_equal,
@@ -503,6 +507,10 @@
agm_free_interface);
interface = (agm_dbus_interface *)malloc(sizeof(agm_dbus_interface));
+ if (interface == NULL) {
+ AGM_LOGE("interface is NULL\n");
+ goto interface_malloc_failed;
+ }
interface->name = interface_info->name;
interface->methods = g_hash_table_new_full(g_str_hash,
g_str_equal,
@@ -511,6 +519,10 @@
for (i = 0; i < interface_info->method_count; i++) {
method = (agm_dbus_method *)malloc(sizeof(agm_dbus_method));
+ if (method == NULL) {
+ AGM_LOGE("method is NULL\n");
+ goto method_malloc_failed;
+ }
method->method_name = interface_info->methods[i].method_name;
method->method_signature =
interface_info->methods[i].method_signature;
@@ -526,6 +538,10 @@
agm_free_signal);
for (i = 0; i < interface_info->signal_count; i++) {
signal = (agm_dbus_signal *)malloc(sizeof(agm_dbus_signal));
+ if (signal == NULL) {
+ AGM_LOGE("signal is NULL\n");
+ goto signal_malloc_failed;
+ }
signal->method_name = interface_info->signals[i].method_name;
signal->method_signature =
interface_info->signals[i].method_signature;
@@ -555,6 +571,10 @@
interface_info->name)) == NULL) {
interface = (agm_dbus_interface *)
malloc(sizeof(agm_dbus_interface));
+ if (interface == NULL) {
+ AGM_LOGE("interface is NULL\n");
+ goto interface_malloc_failed;
+ }
interface->name = interface_info->name;
interface->signals = NULL;
interface->methods = NULL;
@@ -566,6 +586,10 @@
for (i = 0; i < interface_info->method_count; i++) {
method = (agm_dbus_method *)malloc(sizeof(agm_dbus_method));
+ if (method == NULL) {
+ AGM_LOGE("method is NULL\n");
+ goto method_malloc_failed;
+ }
method->method_name =
interface_info->methods[i].method_name;
method->method_signature =
@@ -584,6 +608,10 @@
agm_free_signal);
for (i = 0; i < interface_info->signal_count; i++) {
signal = (agm_dbus_signal *)malloc(sizeof(agm_dbus_signal));
+ if (signal == NULL) {
+ AGM_LOGE("signal is NULL\n");
+ goto signal_malloc_failed;
+ }
signal->method_name =
interface_info->signals[i].method_name;
signal->method_signature =
@@ -603,6 +631,21 @@
dbus_error_free(&err);
return 0;
+
+signal_malloc_failed:
+ free(method);
+ method = NULL;
+method_malloc_failed:
+ free(interface);
+ interface = NULL;
+interface_malloc_failed:
+ if (object) {
+ free(object);
+ object = NULL;
+ }
+object_malloc_failed:
+ dbus_error_free(&err);
+ return -EINVAL;
}
void agm_dbus_connection_free(agm_dbus_connection *conn) {
@@ -624,6 +667,10 @@
agm_dbus_connection *conn = NULL;
conn = (agm_dbus_connection *)malloc(sizeof(agm_dbus_connection));
+ if (conn == NULL) {
+ AGM_LOGE("conn is NULL\n");
+ return NULL;
+ }
conn->objects = NULL;
dbus_error_init(&err);
diff --git a/ipc/DBus/agm_server/src/agm_server_wrapper_dbus.cpp b/ipc/DBus/agm_server/src/agm_server_wrapper_dbus.cpp
index d8951e1..054f354 100644
--- a/ipc/DBus/agm_server/src/agm_server_wrapper_dbus.cpp
+++ b/ipc/DBus/agm_server/src/agm_server_wrapper_dbus.cpp
@@ -387,12 +387,22 @@
g_hash_table_lookup(mdata->sessions,
GUINT_TO_POINTER(session_id))) == NULL) {
ses_data = (agm_session_data *)malloc(sizeof(agm_session_data));
+ if (ses_data == NULL) {
+ AGM_LOGE("ses_data is NULL\n");
+ return NULL;
+ }
ses_data->session_id = session_id;
ss << ses_data->session_id;
obj_length = sizeof(char)*(strlen(AGM_OBJECT_PATH)) +
strlen("/session_") +
ss.str().length() + 1;
ses_data->dbus_obj_path = (char *)malloc(obj_length);
+ if (ses_data->dbus_obj_path == NULL) {
+ AGM_LOGE("dbus_obj_path is NULL\n");
+ free(ses_data);
+ ses_data = NULL;
+ return NULL;
+ }
snprintf(ses_data->dbus_obj_path,
obj_length,
"%s%s%d",
@@ -432,6 +442,10 @@
AGM_LOGE("%s: Received event for session %d", __func__, session_id);
buf = malloc(event_params->event_payload_size);
+ if (buf == NULL) {
+ AGM_LOGE("buf is NULL");
+ return;
+ }
memcpy(buf, event_params->event_payload, event_params->event_payload_size);
message = dbus_message_new_signal(ses_data->dbus_obj_path,
@@ -516,6 +530,13 @@
}
cb_data = (agm_callback_data *)malloc(sizeof(agm_callback_data));
+ if (cb_data == NULL) {
+ AGM_LOGE("cb_data is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "cb_data is NULL");
+ agm_free_session(ses_data);
+ return;
+ }
cb_data->session_id = session_id;
cb_data->event_type = evt_type;
cb_data->client_data = client_data;
@@ -590,6 +611,13 @@
}
cb_data = (agm_callback_data *)malloc(sizeof(agm_callback_data));
+ if (cb_data == NULL) {
+ AGM_LOGE("cb_data is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "cb_data is NULL");
+ agm_free_session(ses_data);
+ return;
+ }
cb_data->session_id = session_id;
cb_data->event_type = evt_type;
cb_data->client_data = client_data;
@@ -661,6 +689,12 @@
evt_reg_cfg = (struct agm_event_reg_cfg *)
calloc (1,(sizeof(struct agm_event_reg_cfg) +
(event_config_payload_size)*sizeof(uint8_t)));
+ if (evt_reg_cfg == NULL) {
+ AGM_LOGE("alloc memory failed, evt_reg_cfg is NULL.");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "alloc memory failed, evt_reg_cfg is NULL.");
+ return;
+ }
evt_reg_cfg->module_instance_id = module_instance_id;
evt_reg_cfg->event_id = event_id;
evt_reg_cfg->event_config_payload_size = event_config_payload_size;
@@ -722,6 +756,12 @@
dbus_message_iter_recurse(&arg_i, &array_i);
dbus_message_iter_get_fixed_array(&array_i, addr_value, &n_elements);
payload = (void *)malloc(n_elements*sizeof(char));
+ if (payload == NULL) {
+ AGM_LOGE("payload is NULL.");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "Ipayload is NULL.");
+ return;
+ }
memcpy(payload, value, n_elements);
if (agm_session_get_params(session_id, (void *)payload, size) != 0) {
@@ -791,6 +831,12 @@
cal_config = (struct agm_cal_config *)
calloc (1, sizeof(struct agm_cal_config) +
num_ckv * sizeof(struct agm_key_value));
+ if (cal_config == NULL) {
+ AGM_LOGE("alloc memory failed, cal_config is NULL.");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "alloc memory failed, cal_config is NULL.");
+ return;
+ }
cal_config->num_ckvs = num_ckv;
memcpy(cal_config->kv, value,
cal_config->num_ckvs*sizeof(struct agm_key_value));
@@ -854,6 +900,11 @@
dbus_message_iter_recurse(&arg_i, &array_i);
dbus_message_iter_get_fixed_array(&array_i, addr_value, &n_elements);
buf = (void *)malloc(n_elements*sizeof(char));
+ if (buf == NULL) {
+ AGM_LOGE("buf is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED, "buf is NULL");
+ return;
+ }
memcpy(buf, value, n_elements);
if (agm_session_aif_set_params(session_id, aif_id, buf, size) != 0) {
@@ -1285,6 +1336,12 @@
size_local = (sizeof(struct agm_tag_config) +
(num_tkvs) * sizeof(agm_key_value));
tag_config = (struct agm_tag_config *) calloc(1,size_local);
+ if (tag_config == NULL) {
+ AGM_LOGE("tag_config is NULL.");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED,
+ "tag_config is NULL.");
+ return;
+ }
tag_config->tag = tag;
tag_config->num_tkvs = num_tkvs;
dbus_message_iter_recurse(&struct_i, &array_i);
@@ -1407,6 +1464,11 @@
dbus_message_iter_recurse(&arg_i, &array_i);
dbus_message_iter_get_fixed_array(&array_i, addr_value, &n_elements);
metadata = (void *)malloc(n_elements*sizeof(char));
+ if (metadata == NULL) {
+ AGM_LOGE("metadata is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED, "metadata is NULL");
+ return;
+ }
memcpy(metadata, value, n_elements);
if (agm_session_set_metadata(session_id, size, (uint8_t *)metadata) != 0) {
@@ -1467,6 +1529,11 @@
dbus_message_iter_recurse(&arg_i, &array_i);
dbus_message_iter_get_fixed_array(&array_i, addr_value, &n_elements);
metadata = (void *)malloc(n_elements*sizeof(char));
+ if (metadata == NULL) {
+ AGM_LOGE("metadata is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED, "metadata is NULL");
+ return;
+ }
memcpy(metadata, value, n_elements);
if (agm_session_aif_set_metadata(session_id,
@@ -1529,6 +1596,11 @@
dbus_message_iter_recurse(&arg_i, &array_i);
dbus_message_iter_get_fixed_array(&array_i, addr_value, &n_elements);
metadata = (void *)malloc(n_elements*sizeof(char));
+ if (metadata == NULL) {
+ AGM_LOGE("metadata is NULL");
+ agm_dbus_send_error(mdata->conn, msg, DBUS_ERROR_FAILED, "metadata is NULL");
+ return;
+ }
memcpy(metadata, value, n_elements);
if (agm_aif_set_metadata(aif_id, size, (uint8_t *)metadata) != 0) {
@@ -2188,8 +2260,21 @@
AGM_LOGV("%s : ", __func__);
mdata = (agm_module_dbus_data *)malloc(sizeof(agm_module_dbus_data));
+ if (mdata == NULL) {
+ AGM_LOGE("mdata is NULL");
+ rc = -EINVAL;
+ return rc;
+ }
+
mdata->dbus_obj_path =
(char *)malloc(sizeof(char)*(strlen(AGM_OBJECT_PATH) + 1));
+ if (mdata->dbus_obj_path == NULL) {
+ AGM_LOGE("dbus_obj_path is NULL");
+ free(mdata)
+ mata = NULL;
+ rc = -EINVAL;
+ return rc;
+ }
memcpy(mdata->dbus_obj_path, AGM_OBJECT_PATH, strlen(AGM_OBJECT_PATH)+1);
mdata->conn = agm_dbus_new_connection();
diff --git a/service/test/src/agm_test.c b/service/test/src/agm_test.c
index e2f0078..a3a4f2b 100644
--- a/service/test/src/agm_test.c
+++ b/service/test/src/agm_test.c
@@ -478,6 +478,10 @@
if (num_aif_info > 0) {
aifinfo = calloc(num_aif_info, sizeof(struct aif_info));
+ if (aifinfo == NULL) {
+ ret = -1;
+ goto fail;
+ }
} else {
ret = -1;
goto fail;