Fix crash when user provides large values in the Parcel. (ae33effd) · Commits · e / os / android_frameworks_native

libs/gui/ISurfaceComposer.cpp

+12 −2

Original line number	Diff line number	Diff line
		@@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
		case SET_TRANSACTION_STATE: {
		CHECK_INTERFACE(ISurfaceComposer, data, reply);
		size_t count = data.readInt32();
		if (count > data.dataSize()) {
		return BAD_VALUE;
		}
		ComposerState s;
		Vector<ComposerState> state;
		state.setCapacity(count);
		for (size_t i=0 ; i<count ; i++) {
		s.read(data);
		if (s.read(data) == BAD_VALUE) {
		return BAD_VALUE;
		}
		state.add(s);
		}
		count = data.readInt32();
		if (count > data.dataSize()) {
		return BAD_VALUE;
		}
		DisplayState d;
		Vector<DisplayState> displays;
		displays.setCapacity(count);
		for (size_t i=0 ; i<count ; i++) {
		d.read(data);
		if (d.read(data) == BAD_VALUE) {
		return BAD_VALUE;
		}
		displays.add(d);
		}
		uint32_t flags = data.readInt32();

+6 −2

Original line number	Diff line number	Diff line
		@@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
		alpha = input.readFloat();
		flags = input.readInt32();
		mask = input.readInt32();
		matrix = reinterpret_cast<layer_state_t::matrix22_t const >(
		input.readInplace(sizeof(layer_state_t::matrix22_t)));
		const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
		if (matrix_data) {
		matrix = reinterpret_cast<layer_state_t::matrix22_t const >(matrix_data);
		} else {
		return BAD_VALUE;
		}
		input.read(crop);
		input.read(transparentRegion);
		return NO_ERROR;