Sanity check IMemory access versus underlying mmap

Bug 26877992

Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
This commit is contained in:
Christopher Tate 2016-02-05 19:02:56 -08:00 committed by The Android Automerger
parent 28a83d4206
commit a5d2913b07

View File

@ -26,6 +26,7 @@
#include <sys/mman.h> #include <sys/mman.h>
#include <binder/IMemory.h> #include <binder/IMemory.h>
#include <cutils/log.h>
#include <utils/KeyedVector.h> #include <utils/KeyedVector.h>
#include <utils/threads.h> #include <utils/threads.h>
#include <utils/Atomic.h> #include <utils/Atomic.h>
@ -187,15 +188,26 @@ sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
if (heap != 0) { if (heap != 0) {
mHeap = interface_cast<IMemoryHeap>(heap); mHeap = interface_cast<IMemoryHeap>(heap);
if (mHeap != 0) { if (mHeap != 0) {
mOffset = o; size_t heapSize = mHeap->getSize();
mSize = s; if (s <= heapSize
&& o >= 0
&& (static_cast<size_t>(o) <= heapSize - s)) {
mOffset = o;
mSize = s;
} else {
// Hm.
android_errorWriteWithInfoLog(0x534e4554,
"26877992", -1, NULL, 0);
mOffset = 0;
mSize = 0;
}
} }
} }
} }
} }
if (offset) *offset = mOffset; if (offset) *offset = mOffset;
if (size) *size = mSize; if (size) *size = mSize;
return mHeap; return (mSize > 0) ? mHeap : 0;
} }
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------