Merge "Fix crash when user provides large values in the Parcel." into lmp-mr1-dev
This commit is contained in:
commit
793fc0e13d
@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
|
|||||||
case SET_TRANSACTION_STATE: {
|
case SET_TRANSACTION_STATE: {
|
||||||
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
||||||
size_t count = data.readInt32();
|
size_t count = data.readInt32();
|
||||||
|
if (count > data.dataSize()) {
|
||||||
|
return BAD_VALUE;
|
||||||
|
}
|
||||||
ComposerState s;
|
ComposerState s;
|
||||||
Vector<ComposerState> state;
|
Vector<ComposerState> state;
|
||||||
state.setCapacity(count);
|
state.setCapacity(count);
|
||||||
for (size_t i=0 ; i<count ; i++) {
|
for (size_t i=0 ; i<count ; i++) {
|
||||||
s.read(data);
|
if (s.read(data) == BAD_VALUE) {
|
||||||
|
return BAD_VALUE;
|
||||||
|
}
|
||||||
state.add(s);
|
state.add(s);
|
||||||
}
|
}
|
||||||
count = data.readInt32();
|
count = data.readInt32();
|
||||||
|
if (count > data.dataSize()) {
|
||||||
|
return BAD_VALUE;
|
||||||
|
}
|
||||||
DisplayState d;
|
DisplayState d;
|
||||||
Vector<DisplayState> displays;
|
Vector<DisplayState> displays;
|
||||||
displays.setCapacity(count);
|
displays.setCapacity(count);
|
||||||
for (size_t i=0 ; i<count ; i++) {
|
for (size_t i=0 ; i<count ; i++) {
|
||||||
d.read(data);
|
if (d.read(data) == BAD_VALUE) {
|
||||||
|
return BAD_VALUE;
|
||||||
|
}
|
||||||
displays.add(d);
|
displays.add(d);
|
||||||
}
|
}
|
||||||
uint32_t flags = data.readInt32();
|
uint32_t flags = data.readInt32();
|
||||||
|
@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
|
|||||||
alpha = input.readFloat();
|
alpha = input.readFloat();
|
||||||
flags = input.readInt32();
|
flags = input.readInt32();
|
||||||
mask = input.readInt32();
|
mask = input.readInt32();
|
||||||
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(
|
const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
|
||||||
input.readInplace(sizeof(layer_state_t::matrix22_t)));
|
if (matrix_data) {
|
||||||
|
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
|
||||||
|
} else {
|
||||||
|
return BAD_VALUE;
|
||||||
|
}
|
||||||
input.read(crop);
|
input.read(crop);
|
||||||
input.read(transparentRegion);
|
input.read(transparentRegion);
|
||||||
return NO_ERROR;
|
return NO_ERROR;
|
||||||
|
Loading…
Reference in New Issue
Block a user