libgui: Check slot received from IGBP in Surface

Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
AOSP-Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

CVE-2017-0665

Change-Id: If0fd4864b9fc4ea5a1c83d10adef26cdabb0f7e8
This commit is contained in:
Dan Stoza 2017-05-01 16:31:53 -07:00 committed by MSe
parent e34afe0a4b
commit c5fe5044f4

View File

@ -237,6 +237,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {
return result;
}
if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
return FAILED_TRANSACTION;
}
Mutex::Autolock lock(mMutex);
sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);