ADHOC/replicant-frameworks_native
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

libgui: check for invalid slot in attachBuffer

Browse Source 
Bug: 37478824
Test: manual
AOSP-Change-Id: I369337d53539bf7f7e3d925bccdae4045da1b404
(cherry picked from commit c79a29689c1046f1f0301c75df9b9a67cba8bf04)

CVE-2017-0667

Change-Id: I15290a700c2e0f0da9a44bb3131c4e38cadbaed3
This commit is contained in:
Chia-I Wu 2017-05-15 10:32:27 -07:00 committed by MSe
parent a3a09ef6b4
commit ea0521baee
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libs/gui/IGraphicBufferProducer.cpp
View File

@ -26,6 +26,7 @@
#include <binder/Parcel.h>
#include <binder/IInterface.h>
#include <gui/BufferQueueDefs.h>
#include <gui/IGraphicBufferProducer.h>
#include <gui/IProducerListener.h>
@ -170,8 +171,16 @@ public:
if (result != NO_ERROR) {
return result;
}
*slot = reply.readInt32();
result = reply.readInt32();
if (result == NO_ERROR &&
(*slot < 0 || *slot >= BufferQueueDefs::NUM_BUFFER_SLOTS)) {
ALOGE("attachBuffer returned invalid slot %d", *slot);
android_errorWriteLog(0x534e4554, "37478824");
return UNKNOWN_ERROR;
}
return result;
}