Fix crash when user provides large values in the Parcel.
Bug: 18102648 Change-Id: Ie6a24718e586a34424238363de80f9545951514f
This commit is contained in:
parent
fae12d4fb4
commit
8afa1c4ab8
@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
|
||||
case SET_TRANSACTION_STATE: {
|
||||
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
||||
size_t count = data.readInt32();
|
||||
if (count > data.dataSize()) {
|
||||
return BAD_VALUE;
|
||||
}
|
||||
ComposerState s;
|
||||
Vector<ComposerState> state;
|
||||
state.setCapacity(count);
|
||||
for (size_t i=0 ; i<count ; i++) {
|
||||
s.read(data);
|
||||
if (s.read(data) == BAD_VALUE) {
|
||||
return BAD_VALUE;
|
||||
}
|
||||
state.add(s);
|
||||
}
|
||||
count = data.readInt32();
|
||||
if (count > data.dataSize()) {
|
||||
return BAD_VALUE;
|
||||
}
|
||||
DisplayState d;
|
||||
Vector<DisplayState> displays;
|
||||
displays.setCapacity(count);
|
||||
for (size_t i=0 ; i<count ; i++) {
|
||||
d.read(data);
|
||||
if (d.read(data) == BAD_VALUE) {
|
||||
return BAD_VALUE;
|
||||
}
|
||||
displays.add(d);
|
||||
}
|
||||
uint32_t flags = data.readInt32();
|
||||
|
@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
|
||||
alpha = input.readFloat();
|
||||
flags = input.readInt32();
|
||||
mask = input.readInt32();
|
||||
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(
|
||||
input.readInplace(sizeof(layer_state_t::matrix22_t)));
|
||||
const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
|
||||
if (matrix_data) {
|
||||
matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
|
||||
} else {
|
||||
return BAD_VALUE;
|
||||
}
|
||||
input.read(crop);
|
||||
input.read(transparentRegion);
|
||||
return NO_ERROR;
|
||||
|
Loading…
Reference in New Issue
Block a user