git.osdn.net Git - android-x86/frameworks-av.git/commit

author	Phil Burk <philburk@google.com>
	Mon, 3 Dec 2018 22:16:46 +0000 (14:16 -0800)
committer	JP Sugarbroad <jpsugar@google.com>
	Mon, 14 Jan 2019 22:56:23 +0000 (14:56 -0800)
commit	d65253514a40ec0ae8278bb2119ec94ac2b1abf3
tree	cfbcb19686f4592e011fcc47bbad1b1364e566e1	tree \| snapshot
parent	62cd0f4a5aa2be7d870108630f4ac9447af95d9d	commit \| diff

RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index

The index into the FIFO is calculated by using:

counter % capacity

But the counter is signed and when it is negative the
modulo can have a negative result. That can cause
a negative array index and an access out of bounds.

This is not normally a problem because the counter
is 64 bits and it will not overflow until the audio
has run for a few million years. But a hacker might
be able to modify this internal counter and force
an error.

The solution involves casting to a uint64_t before doing
the modulo.

Note that there may still be a discontinuity when the
counter wraps from -1 to 0. But that will not result
in an out-of-bounds access. It may cause a noise but
an app could simply create a noise directly. So that is
not considered an exploit.

Bug: 120789744
Test: test_atomic_fifo.cpp
Change-Id: I6fe57bcb44528d29b5edb817c592e5e9a8aaf8eb
(cherry picked from commit d1fc53ca84b3d8d074fb27e192dea8204c1fb221)