libgui: Check slot received from IGBP in Surface

Checks that the slot number received from mGraphicBufferProducer in Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to protect against a malicious BnGraphicBufferProducer. Bug: 36991414 Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa (cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)
author: Dan Stoza <stoza@google.com> 2017-05-01 16:31:53 -0700
committer: JP Sugarbroad <jpsugar@google.com> 2017-05-19 00:25:08 -0700
commit: 277b287eaf758404810595552e37e57723d8bab8 (patch)
tree: 61e1a063d9a53991387063b72c6640c1ad88f352
parent: db22c62d610a3120947e4d832349b352ee295bb9 (diff)
download: native-277b287eaf758404810595552e37e57723d8bab8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp
index 08382908ba..5a2ca8d7ac 100644
--- a/libs/gui/Surface.cpp
+++ b/libs/gui/Surface.cpp
@@ -306,6 +306,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {
         return result;
     }
 
+    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
+        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
+        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
+        return FAILED_TRANSACTION;
+    }
+
     Mutex::Autolock lock(mMutex);
 
     sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);
author	Dan Stoza <stoza@google.com>	2017-05-01 16:31:53 -0700
committer	JP Sugarbroad <jpsugar@google.com>	2017-05-19 00:25:08 -0700
commit	277b287eaf758404810595552e37e57723d8bab8 (patch)
tree	61e1a063d9a53991387063b72c6640c1ad88f352
parent	db22c62d610a3120947e4d832349b352ee295bb9 (diff)
download	native-277b287eaf758404810595552e37e57723d8bab8.tar.gz