标签:tcl size_t reply android uid crash down query string
# /external/sonivox/arm-wt-22k/lib_src/eas_mdls.c
static EAS_RESULT PushcdlStack (EAS_U32 *pStack, EAS_INT *pStackPtr, EAS_U32 value)
{
/* stack overflow, return an error */
if (*pStackPtr >= CDL_STACK_SIZE)
return EAS_ERROR_FILE_FORMAT;
/* push the value onto the stack */
*pStackPtr = *pStackPtr + 1;
pStack[*pStackPtr] = value;
return EAS_SUCCESS;
}
static EAS_RESULT Parse_cdl (SDLS_SYNTHESIZER_DATA *pDLSData, EAS_I32 size, EAS_U32 *pValue)
{
EAS_RESULT result;
EAS_U32 stack[CDL_STACK_SIZE];
EAS_U16 opcode;
EAS_INT stackPtr;
EAS_U32 x, y;
DLSID dlsid;
stackPtr = -1;
*pValue = 0;
x = 0;
while (size)
{
/* read the opcode */
if ((result = EAS_HWGetWord(pDLSData->hwInstData, pDLSData->fileHandle, &opcode, EAS_FALSE)) != EAS_SUCCESS)
return result;
/* handle binary opcodes */
if (opcode <= DLS_CDL_EQ)
{
/* 省略部分代码 */
}
else if (opcode == DLS_CDL_NOT)
{
/* 省略部分代码 */
}
else if (opcode == DLS_CDL_CONST)
{
if ((result = EAS_HWGetDWord(pDLSData->hwInstData, pDLSData->fileHandle, &x, EAS_FALSE)) != EAS_SUCCESS)
return result;
}
else if (opcode == DLS_CDL_QUERY)
{
/* 省略部分代码 */
}
else if (opcode == DLS_CDL_QUERYSUPPORTED)
{
/* 省略部分代码 */
}
else
{ /* dpp: EAS_ReportEx(_EAS_SEVERITY_WARNING, "Unsupported opcode %d in DLS file\n", opcode); */ }
/* push the result on the stack */
if ((result = PushcdlStack(stack, &stackPtr, x)) != EAS_SUCCESS) //漏洞点
return result;
}
/* pop the last result off the stack */
return PopcdlStack(stack, &stackPtr, pValue);
}
@@ -110,9 +110,24 @@
mUid = clientUid;
// ALOGD("Creating track with %d buffers @ %d bytes", bufferCount, bufferSize);
+
+ size_t bufferSize = buffer == NULL ? roundup(frameCount) : frameCount;
+ // check overflow when computing bufferSize due to multiplication by mFrameSize.
+ if (bufferSize < frameCount // roundup rounds down for values above UINT_MAX / 2
+ || mFrameSize == 0 // format needs to be correct
+ || bufferSize > SIZE_MAX / mFrameSize) {
+ android_errorWriteLog(0x534e4554, "34749571");
+ return;
+ }
+ bufferSize *= mFrameSize;
+
size_t size = sizeof(audio_track_cblk_t);
- size_t bufferSize = (buffer == NULL ? roundup(frameCount) : frameCount) * mFrameSize;
if (buffer == NULL && alloc == ALLOC_CBLK) {
+ // check overflow when computing allocation size for streaming tracks.
+ if (size > SIZE_MAX - bufferSize) {
+ android_errorWriteLog(0x534e4554, "34749571");
+ return;
+ }
size += bufferSize;
}
void SurfaceFlinger::setTransactionState(
const Vector<ComposerState>& state, ——>State是我们可以控制的
const Vector<DisplayState>& displays,
uint32_t flags)
{
/* 省略部分代码 */
count = state.size();
for (size_t i=0 ; i<count ; i++) {
const ComposerState& s(state[i]); ——>循环处理state[i]
// Here we need to check that the interface we‘re given is indeed
// one of our own. A malicious client could give us a NULL
// IInterface, or one of its own or even one of our own but a
// different type. All these situations would cause us to crash.
//
// NOTE: it would be better to use RTTI as we could directly check
// that we have a Client*. however, RTTI is disabled in Android.
if (s.client != NULL) {
sp<IBinder> binder = IInterface::asBinder(s.client);——> s.client是一个IBinder指针
if (binder != NULL) {
String16 desc(binder->getInterfaceDescriptor());
if (desc == ISurfaceComposerClient::descriptor) {—->比较binder->getInterfaceDescriptor()和ISurfaceComposerClient::descriptor的值
sp<Client> client( static_cast<Client *>(s.client.get()) );——>类型转换
transactionFlags |= setClientStateLocked(client, s.state);
}
}
}
}
/* 省略部分代码 */
}
uint32_t SurfaceFlinger::setClientStateLocked(
const sp<Client>& client,
const layer_state_t& s)
{
uint32_t flags = 0;
sp<Layer> layer(client->getLayerUser(s.surface));
/* 省略部分代码 */
}
count = state.size();
for (size_t i=0 ; i<count ; i++) {
const ComposerState& s(state[i]);
// Here we need to check that the interface we‘re given is indeed
// one of our own. A malicious client could give us a NULL
// IInterface, or one of its own or even one of our own but a
// different type. All these situations would cause us to crash.
//
// NOTE: it would be better to use RTTI as we could directly check
// that we have a Client*. however, RTTI is disabled in Android.
if (s.client != NULL) {
sp<IBinder> binder = IInterface::asBinder(s.client);
if (binder != NULL) {
if (binder->queryLocalInterface(ISurfaceComposerClient::descriptor) != NULL) {
sp<Client> client( static_cast<Client *>(s.client.get()) );
transactionFlags |= setClientStateLocked(client, s.state);
}
}
}
}
status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
/* 省略部分代码 */
case FOURCC(‘b‘, ‘t‘, ‘r‘, ‘t‘):
{
*offset += chunk_size;
uint8_t buffer[12];
if (chunk_data_size != sizeof(buffer)) {
return ERROR_MALFORMED;
}
if (mDataSource->readAt(
data_offset, buffer, chunk_data_size) < chunk_data_size) {
return ERROR_IO;
}
uint32_t maxBitrate = U32_AT(&buffer[4]);
uint32_t avgBitrate = U32_AT(&buffer[8]);
if (maxBitrate > 0 && maxBitrate < INT32_MAX) {
mLastTrack->meta->setInt32(kKeyMaxBitRate, (int32_t)maxBitrate); ——-> 空指针引用
}
if (avgBitrate > 0 && avgBitrate < INT32_MAX) {
mLastTrack->meta->setInt32(kKeyBitRate, (int32_t)avgBitrate); ——-> 空指针引用
}
break;
}
/* 省略部分代码 */
}
MPEG4Extractor::MPEG4Extractor(const sp<DataSource> &source)
: mMoofOffset(0),
mMoofFound(false),
mMdatFound(false),
mDataSource(source),
mInitCheck(NO_INIT),
mHasVideo(false),
mHeaderTimescale(0),
mFirstTrack(NULL),
mLastTrack(NULL), ———> mLastTrack的值置为空
mFileMetaData(new MetaData),
mFirstSINF(NULL),
mIsDrm(false) {
}
1207status_t AudioFlinger::EffectHandle::command(uint32_t cmdCode,
1208 uint32_t cmdSize,
1209 void *pCmdData,
1210 uint32_t *replySize,
1211 void *pReplyData)
1212{
/* 省略部分代码 */
1232 Mutex::Autolock _l(mCblk->lock);
1233 if (mCblk->clientIndex > EFFECT_PARAM_BUFFER_SIZE ||
1234 mCblk->serverIndex > EFFECT_PARAM_BUFFER_SIZE) {
1235 mCblk->serverIndex = 0;
1236 mCblk->clientIndex = 0;
1237 return BAD_VALUE;
1238 }
1239 status_t status = NO_ERROR;
1240 while (mCblk->serverIndex < mCblk->clientIndex) {
1241 int reply;
1242 uint32_t rsize = sizeof(int);
1243 int *p = (int *)(mBuffer + mCblk->serverIndex); —————>越界访问
1244 int size = *p++;
/* 省略部分代码 */
}
1380 Mutex::Autolock _l(mCblk->lock);
1381 // keep local copy of index in case of client corruption b/32220769
1382 const uint32_t clientIndex = mCblk->clientIndex; ——> 保存mCblk->clientIndex
1383 const uint32_t serverIndex = mCblk->serverIndex; —-> 保存mCblk->serverIndex
1384 if (clientIndex > EFFECT_PARAM_BUFFER_SIZE ||
1385 serverIndex > EFFECT_PARAM_BUFFER_SIZE) {
1386 mCblk->serverIndex = 0;
1387 mCblk->clientIndex = 0;
1388 return BAD_VALUE;
1389 }
1390 status_t status = NO_ERROR;
1391 effect_param_t *param = NULL;
1392 for (uint32_t index = serverIndex; index < clientIndex;) {
1393 int *p = (int *)(mBuffer + index);
1394 const int size = *p++;
50 public static WifiConfiguration buildConfig(String uriString, byte[] data, Context context)
51 throws IOException, GeneralSecurityException, SAXException {
52 Log.d(TAG, "Content: " + (data != null ? data.length : -1));
53
54 byte[] b64 = Base64.decode(new String(data, StandardCharsets.ISO_8859_1), Base64.DEFAULT);
55 Log.d(TAG, "Decoded: " + b64.length + " bytes.");
56
57 dropFile(Uri.parse(uriString), context);
status_t BnMediaCodecList::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
/* 省略部分代码 */
case GET_CODEC_INFO:
{
CHECK_INTERFACE(IMediaCodecList, data, reply);
size_t index = static_cast<size_t>(data.readInt32());
const sp<MediaCodecInfo> info = getCodecInfo(index);
if (info != NULL) {
reply->writeInt32(OK);
info->writeToParcel(reply);
} else {
reply->writeInt32(-ERANGE);
}
return NO_ERROR;
}
break;
/* 省略部分代码 */
}
virtual sp<MediaCodecInfo> getCodecInfo(size_t index) const {
if (index >= mCodecInfos.size()) {
ALOGE("b/24445127");
return NULL;
}
return mCodecInfos.itemAt(index);
}
status_t SoftAVC::initDecoder() {
/* 省略部分代码 */
status = ivdec_api_function(mCodecCtx, (void *)&s_create_ip, (void *)&s_create_op);
mCodecCtx = (iv_obj_t*)s_create_op.s_ivd_create_op_t.pv_handle;
mCodecCtx->pv_fxns = dec_fxns;
mCodecCtx->u4_size = sizeof(iv_obj_t);
if (status != IV_SUCCESS) {
ALOGE("Error in create: 0x%x",
s_create_op.s_ivd_create_op_t.u4_error_code);
deInitDecoder();
mCodecCtx = NULL;
return UNKNOWN_ERROR;
}
/* 省略部分代码 */
}
status = ivdec_api_function(mCodecCtx, (void *)&s_create_ip, (void *)&s_create_op);
if (status != IV_SUCCESS) {
ALOGE("Error in create: 0x%x",
s_create_op.s_ivd_create_op_t.u4_error_code);
deInitDecoder();
mCodecCtx = NULL;
return UNKNOWN_ERROR;
}
mCodecCtx = (iv_obj_t*)s_create_op.s_ivd_create_op_t.pv_handle;
mCodecCtx->pv_fxns = dec_fxns;
mCodecCtx->u4_size = sizeof(iv_obj_t);
标签:tcl size_t reply android uid crash down query string
原文地址:https://www.cnblogs.com/elvirangel/p/10448590.html
