Merge cherrypicks of [2338295, 2338197, 2338407, 2338385, 2338425, 2338465, 2338447, 2338426, 2338386, 2338387, 2338466, 2338368, 2338296, 2338198, 2338450, 2338470, 2338429, 2338390, 2338430, 2338315, 2338452, 2338453, 2338431, 2338297, 2338354, 2338200, 2338391, 2338392, 2338482, 2338357, 2338411, 2338394, 2338318, 2338370, 2338434, 2338472, 2338473, 2338395, 2338299, 2338412, 2338413, 2338454, 2338396, 2338474, 2338397, 2338360, 2338455] into nyc-mr2-security-b-releaseandroid-7.1.2_r25

Change-Id: I476ce8051d3e7092acf323c34ce112465ac5d03b
author: android-build-team Robot <android-build-team-robot@google.com> 2017-05-31 20:31:30 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-05-31 20:31:30 +0000
commit: a443989be3cb275947effe26833715da73528d23 (patch)
tree: 1cc432aba09db78896b8d42036f22686d5fd0a39
parent: 783b76e68194812684e1f87c71c1a12eda6a49f1 (diff)
parent: 4d140c6444d14a20b7881fd2533efb7d52d4c7a0 (diff)
download: native-a443989be3cb275947effe26833715da73528d23.tar.gz
3 files changed, 16 insertions, 1 deletions
diff --git a/libs/gui/IGraphicBufferProducer.cpp b/libs/gui/IGraphicBufferProducer.cpp
index f4ba3bf15f..1a08130c44 100644
--- a/libs/gui/IGraphicBufferProducer.cpp
+++ b/libs/gui/IGraphicBufferProducer.cpp
@@ -26,6 +26,7 @@
 #include <binder/Parcel.h>
 #include <binder/IInterface.h>
 
+#include <gui/BufferQueueDefs.h>
 #include <gui/IGraphicBufferProducer.h>
 #include <gui/IProducerListener.h>
 
@@ -203,8 +204,16 @@ public:
         if (result != NO_ERROR) {
             return result;
         }
+
         *slot = reply.readInt32();
         result = reply.readInt32();
+        if (result == NO_ERROR &&
+                (*slot < 0 || *slot >= BufferQueueDefs::NUM_BUFFER_SLOTS)) {
+            ALOGE("attachBuffer returned invalid slot %d", *slot);
+            android_errorWriteLog(0x534e4554, "37478824");
+            return UNKNOWN_ERROR;
+        }
+
         return result;
     }
 
diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp
index 08382908ba..5a2ca8d7ac 100644
--- a/libs/gui/Surface.cpp
+++ b/libs/gui/Surface.cpp
@@ -306,6 +306,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {
         return result;
     }
 
+    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
+        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
+        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
+        return FAILED_TRANSACTION;
+    }
+
     Mutex::Autolock lock(mMutex);
 
     sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);
diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp
index 7cf8233820..5531b238f9 100644
--- a/libs/ui/Fence.cpp
+++ b/libs/ui/Fence.cpp
@@ -162,7 +162,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si
         return INVALID_OPERATION;
     }
 
-    if (size < 1) {
+    if (size < getFlattenedSize()) {
         return NO_MEMORY;
     }
author	android-build-team Robot <android-build-team-robot@google.com>	2017-05-31 20:31:30 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-05-31 20:31:30 +0000
commit	a443989be3cb275947effe26833715da73528d23 (patch)
tree	1cc432aba09db78896b8d42036f22686d5fd0a39
parent	783b76e68194812684e1f87c71c1a12eda6a49f1 (diff)
parent	4d140c6444d14a20b7881fd2533efb7d52d4c7a0 (diff)
download	native-a443989be3cb275947effe26833715da73528d23.tar.gz