fix use-after-free for sink/source metadata

thestinger · thestinger · commit e295e5888f97 · 2024-03-09T16:11:39.000-05:00
This uses malloc/free to work around the existing code using a raw
pointer to avoid invasive changes.
diff --git a/system/bta/le_audio/audio_hal_client/audio_sink_hal_client.cc b/system/bta/le_audio/audio_hal_client/audio_sink_hal_client.cc
@@ -162,11 +162,21 @@ bool SinkImpl::OnMetadataUpdateReq(const sink_metadata_v7_t& sink_metadata) {
     return false;
   }
 
+  sink_metadata_v7_t deep_copy;
+  deep_copy.tracks = (struct record_track_metadata_v7*)malloc(sink_metadata.track_count * sizeof(deep_copy.tracks[0]));
+  if (!deep_copy.tracks) {
+    LOG_ERROR("malloc");
+    return false;
+  }
+  memcpy(deep_copy.tracks, sink_metadata.tracks, sink_metadata.track_count * sizeof(deep_copy.tracks[0]));
+  deep_copy.track_count = sink_metadata.track_count;
+
   bt_status_t status = do_in_main_thread(
       FROM_HERE,
       base::BindOnce(
           &LeAudioSinkAudioHalClient::Callbacks::OnAudioMetadataUpdate,
-          audioSinkCallbacks_->weak_factory_.GetWeakPtr(), sink_metadata));
+          audioSinkCallbacks_->weak_factory_.GetWeakPtr(), deep_copy));
+  do_in_main_thread(FROM_HERE, base::Bind(&free, (void*)deep_copy.tracks));
   if (status == BT_STATUS_SUCCESS) {
     return true;
   }
diff --git a/system/bta/le_audio/audio_hal_client/audio_source_hal_client.cc b/system/bta/le_audio/audio_hal_client/audio_source_hal_client.cc
@@ -299,12 +299,22 @@ bool SourceImpl::OnMetadataUpdateReq(
     return false;
   }
 
+  source_metadata_v7_t deep_copy;
+  deep_copy.tracks = (struct playback_track_metadata_v7*)malloc(source_metadata.track_count * sizeof(deep_copy.tracks[0]));
+  if (!deep_copy.tracks) {
+    LOG_ERROR("malloc");
+    return false;
+  }
+  memcpy(deep_copy.tracks, source_metadata.tracks, source_metadata.track_count * sizeof(deep_copy.tracks[0]));
+  deep_copy.track_count = source_metadata.track_count;
+
   bt_status_t status = do_in_main_thread(
       FROM_HERE,
       base::BindOnce(
           &LeAudioSourceAudioHalClient::Callbacks::OnAudioMetadataUpdate,
-          audioSourceCallbacks_->weak_factory_.GetWeakPtr(), source_metadata,
+          audioSourceCallbacks_->weak_factory_.GetWeakPtr(), deep_copy,
           dsa_mode));
+  do_in_main_thread(FROM_HERE, base::Bind(&free, (void *)deep_copy.tracks));
   if (status == BT_STATUS_SUCCESS) {
     return true;
   }
