Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e48cf5b8 authored by Mike Lockwood's avatar Mike Lockwood
Browse files

Fix bounds checking for GetPartialObject command 

GetPartialObject has only 3 arguments, whereas the 64 bit version takes 4.

Bug: 18786282
Change-Id: I4376962769ed0eae2f4991c2569244db22509204
parent 145cf5d8

media/mtp/MtpServer.cpp

+8 −2
Original line number Diff line number Diff line
@@ -819,18 +819,24 @@ MtpResponseCode MtpServer::doGetThumb() { 
MtpResponseCode MtpServer::doGetPartialObject(MtpOperationCode operation) {

    if (!hasStorage())

        return MTP_RESPONSE_INVALID_OBJECT_HANDLE;

    if (mRequest.getParameterCount() < 4)

        return MTP_RESPONSE_INVALID_PARAMETER;

    MtpObjectHandle handle = mRequest.getParameter(1);

    uint64_t offset;

    uint32_t length;

    offset = mRequest.getParameter(2);

    if (operation == MTP_OPERATION_GET_PARTIAL_OBJECT_64) {

        // MTP_OPERATION_GET_PARTIAL_OBJECT_64 takes 4 arguments

        if (mRequest.getParameterCount() < 4)

            return MTP_RESPONSE_INVALID_PARAMETER;



        // android extension with 64 bit offset

        uint64_t offset2 = mRequest.getParameter(3);

        offset = offset | (offset2 << 32);

        length = mRequest.getParameter(4);

    } else {

        // MTP_OPERATION_GET_PARTIAL_OBJECT takes 3 arguments

        if (mRequest.getParameterCount() < 3)

            return MTP_RESPONSE_INVALID_PARAMETER;



        // standard GetPartialObject

        length = mRequest.getParameter(3);

    }