diff options
| author | Michael Lentine <mlentine@google.com> | 2014-10-31 11:10:13 -0700 |
|---|---|---|
| committer | Dan Stoza <stoza@google.com> | 2014-12-05 20:31:09 +0000 |
| commit | ae33effd43a615183f089f0a216b5965e8104842 (patch) | |
| tree | a4a8b22b63f8ca97a625398cdedebb93dcf2814b | |
| parent | 09b9193d10b3849e426c5370a757a0eedc65a7ff (diff) | |
| download | native-ae33effd43a615183f089f0a216b5965e8104842.tar.gz | |
Fix crash when user provides large values in the Parcel.
Bug: 18102648
Change-Id: Ie6a24718e586a34424238363de80f9545951514f
(cherry-picked from commit 8afa1c4ab86d724feb7716e153b7835385534590)
| -rw-r--r-- | libs/gui/ISurfaceComposer.cpp | 14 | ||||
| -rw-r--r-- | libs/gui/LayerState.cpp | 8 |
2 files changed, 18 insertions, 4 deletions
diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp index 669755a86c..bc4baa3ee9 100644 --- a/libs/gui/ISurfaceComposer.cpp +++ b/libs/gui/ISurfaceComposer.cpp @@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact( case SET_TRANSACTION_STATE: { CHECK_INTERFACE(ISurfaceComposer, data, reply); size_t count = data.readInt32(); + if (count > data.dataSize()) { + return BAD_VALUE; + } ComposerState s; Vector<ComposerState> state; state.setCapacity(count); for (size_t i=0 ; i<count ; i++) { - s.read(data); + if (s.read(data) == BAD_VALUE) { + return BAD_VALUE; + } state.add(s); } count = data.readInt32(); + if (count > data.dataSize()) { + return BAD_VALUE; + } DisplayState d; Vector<DisplayState> displays; displays.setCapacity(count); for (size_t i=0 ; i<count ; i++) { - d.read(data); + if (d.read(data) == BAD_VALUE) { + return BAD_VALUE; + } displays.add(d); } uint32_t flags = data.readInt32(); diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp index dcdcdf2525..ccf8b7826b 100644 --- a/libs/gui/LayerState.cpp +++ b/libs/gui/LayerState.cpp @@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input) alpha = input.readFloat(); flags = input.readInt32(); mask = input.readInt32(); - matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>( - input.readInplace(sizeof(layer_state_t::matrix22_t))); + const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t)); + if (matrix_data) { + matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data); + } else { + return BAD_VALUE; + } input.read(crop); input.read(transparentRegion); return NO_ERROR; |