From 8afa1c4ab86d724feb7716e153b7835385534590 Mon Sep 17 00:00:00 2001
From: Michael Lentine <mlentine@google.com>
Date: Fri, 31 Oct 2014 11:10:13 -0700
Subject: [PATCH] Fix crash when user provides large values in the Parcel.

Bug: 18102648
Change-Id: Ie6a24718e586a34424238363de80f9545951514f
---
 libs/gui/ISurfaceComposer.cpp | 14 ++++++++++++--
 libs/gui/LayerState.cpp       |  8 ++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index 81e83360f..ebb687a28 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
         case SET_TRANSACTION_STATE: {
             CHECK_INTERFACE(ISurfaceComposer, data, reply);
             size_t count = data.readInt32();
+            if (count > data.dataSize()) {
+                return BAD_VALUE;
+            }
             ComposerState s;
             Vector<ComposerState> state;
             state.setCapacity(count);
             for (size_t i=0 ; i<count ; i++) {
-                s.read(data);
+                if (s.read(data) == BAD_VALUE) {
+                    return BAD_VALUE;
+                }
                 state.add(s);
             }
             count = data.readInt32();
+            if (count > data.dataSize()) {
+                return BAD_VALUE;
+            }
             DisplayState d;
             Vector<DisplayState> displays;
             displays.setCapacity(count);
             for (size_t i=0 ; i<count ; i++) {
-                d.read(data);
+                if (d.read(data) == BAD_VALUE) {
+                    return BAD_VALUE;
+                }
                 displays.add(d);
             }
             uint32_t flags = data.readInt32();
diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp
index e95d8b6c4..1183d5921 100644
--- a/libs/gui/LayerState.cpp
+++ b/libs/gui/LayerState.cpp
@@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
     alpha = input.readFloat();
     flags = input.readInt32();
     mask = input.readInt32();
-    matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(
-            input.readInplace(sizeof(layer_state_t::matrix22_t)));
+    const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
+    if (matrix_data) {
+        matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
+    } else {
+        return BAD_VALUE;
+    }
     input.read(crop);
     input.read(transparentRegion);
     return NO_ERROR;