Fix crash when user provides large values in the Parcel.

Bug: 18102648
Change-Id: Ie6a24718e586a34424238363de80f9545951514f
This commit is contained in:
Michael Lentine 2014-10-31 11:10:13 -07:00
parent fae12d4fb4
commit 8afa1c4ab8
2 changed files with 18 additions and 4 deletions

View File

@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
case SET_TRANSACTION_STATE: {
CHECK_INTERFACE(ISurfaceComposer, data, reply);
size_t count = data.readInt32();
if (count > data.dataSize()) {
return BAD_VALUE;
}
ComposerState s;
Vector<ComposerState> state;
state.setCapacity(count);
for (size_t i=0 ; i<count ; i++) {
s.read(data);
if (s.read(data) == BAD_VALUE) {
return BAD_VALUE;
}
state.add(s);
}
count = data.readInt32();
if (count > data.dataSize()) {
return BAD_VALUE;
}
DisplayState d;
Vector<DisplayState> displays;
displays.setCapacity(count);
for (size_t i=0 ; i<count ; i++) {
d.read(data);
if (d.read(data) == BAD_VALUE) {
return BAD_VALUE;
}
displays.add(d);
}
uint32_t flags = data.readInt32();

View File

@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
alpha = input.readFloat();
flags = input.readInt32();
mask = input.readInt32();
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(
input.readInplace(sizeof(layer_state_t::matrix22_t)));
const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
if (matrix_data) {
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
} else {
return BAD_VALUE;
}
input.read(crop);
input.read(transparentRegion);
return NO_ERROR;