Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c7a88071 authored by ramindani's avatar ramindani Committed by Ram Indani
Browse files

[HIDL composer] Verify key & value sizes are within the data size range 

Sizes when invalid can cause OOB reads and causes the crash

Test: atest VtsHalGraphicsComposerV2_1TargetTest && atest VtsHalGraphicsComposerV2_2TargetTest && atest VtsHalGraphicsComposerV2_3TargetTest && atest VtsHalGraphicsComposerV2_4TargetTest
go/wm-smoke test
BUG: 252995613

Change-Id: I77e472851236eba2b8418034144c9cc8237c7143
parent e6e7fdfd

graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h

+5 −1
Original line number Diff line number Diff line
@@ -679,6 +679,10 @@ class CommandReaderBase { 


    uint32_t read() { return mData[mDataRead++]; }



    bool isReadSizeValid(uint32_t size) const {

        return mDataRead * sizeof(uint32_t) + size <= mDataSize;

    }



    int32_t readSigned() {

        int32_t val;

        memcpy(&val, &mData[mDataRead++], sizeof(val));

graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h

+6 −0
Original line number Diff line number Diff line
@@ -90,6 +90,9 @@ class ComposerCommandEngine : public V2_3::hal::ComposerCommandEngine { 
        }



        const uint32_t keySize = read();

        if (!isReadSizeValid(keySize)) {

            return false;

        }

        std::string key;

        key.resize(keySize);

        readBlob(keySize, key.data());
@@ -97,6 +100,9 @@ class ComposerCommandEngine : public V2_3::hal::ComposerCommandEngine { 
        const bool mandatory = read();



        const uint32_t valueSize = read();

        if (!isReadSizeValid(valueSize)) {

            return false;

        }

        std::vector<uint8_t> value(valueSize);

        readBlob(valueSize, value.data());