ADHOC
/
replicant-frameworks_native
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge "Fix crash when user provides large values in the Parcel." into lmp-mr1-dev

This commit is contained in:
Michael Lentine 2014-10-31 23:37:47 +00:00 committed by Android (Google) Code Review
parent 9853685931 8afa1c4ab8
commit 793fc0e13d
2 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libs/gui/ISurfaceComposer.cpp
View File

@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
case SET_TRANSACTION_STATE: { case SET_TRANSACTION_STATE: {
CHECK_INTERFACE(ISurfaceComposer, data, reply); CHECK_INTERFACE(ISurfaceComposer, data, reply);
size_t count = data.readInt32(); size_t count = data.readInt32();
if (count > data.dataSize()) {
return BAD_VALUE;
}
ComposerState s; ComposerState s;
Vector<ComposerState> state; Vector<ComposerState> state;
state.setCapacity(count); state.setCapacity(count);
for (size_t i=0 ; i<count ; i++) { for (size_t i=0 ; i<count ; i++) {
s.read(data); if (s.read(data) == BAD_VALUE) {
return BAD_VALUE;
}
state.add(s); state.add(s);
} }
count = data.readInt32(); count = data.readInt32();
if (count > data.dataSize()) {
return BAD_VALUE;
}
DisplayState d; DisplayState d;
Vector<DisplayState> displays; Vector<DisplayState> displays;
displays.setCapacity(count); displays.setCapacity(count);
for (size_t i=0 ; i<count ; i++) { for (size_t i=0 ; i<count ; i++) {
d.read(data); if (d.read(data) == BAD_VALUE) {
return BAD_VALUE;
}
displays.add(d); displays.add(d);
} }
uint32_t flags = data.readInt32(); uint32_t flags = data.readInt32();

8
libs/gui/LayerState.cpp
View File

@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
alpha = input.readFloat(); alpha = input.readFloat();
flags = input.readInt32(); flags = input.readInt32();
mask = input.readInt32(); mask = input.readInt32();
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>( const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
input.readInplace(sizeof(layer_state_t::matrix22_t))); if (matrix_data) {
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
} else {
return BAD_VALUE;
}
input.read(crop); input.read(crop);
input.read(transparentRegion); input.read(transparentRegion);
return NO_ERROR; return NO_ERROR;