Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 70e25ee6 authored by Arthur Ishiguro's avatar Arthur Ishiguro
Browse files

Fix unchecked size in ISensorServer code 

Bug: 128919198
Test: adb shell service call sensorservice  6 i32 1 i32 1 i32 -1, verify no crash
Change-Id: I1db27d2ea579172cd35c0f05d2875efebb64a429
parent ad621296

libs/sensor/ISensorServer.cpp

+13 −2
Original line number Diff line number Diff line
@@ -216,14 +216,25 @@ status_t BnSensorServer::onTransact( 
            int32_t type;

            Vector<float> floats;

            Vector<int32_t> ints;

            uint32_t count;



            handle = data.readInt32();

            type = data.readInt32();

            floats.resize(data.readUint32());



            count = data.readUint32();

            if (count > (data.dataAvail() / sizeof(float))) {

              return BAD_VALUE;

            }

            floats.resize(count);

            for (auto &i : floats) {

                i = data.readFloat();

            }

            ints.resize(data.readUint32());



            count = data.readUint32();

            if (count > (data.dataAvail() / sizeof(int32_t))) {

              return BAD_VALUE;

            }

            ints.resize(count);

            for (auto &i : ints) {

                i = data.readInt32();

            }