Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 90ce2a9c authored by Dan Stoza's avatar Dan Stoza
Browse files

libgui: Check slot received from IGBP in Surface 

Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
parent bec844f6

libs/gui/Surface.cpp

+6 −0
Original line number Diff line number Diff line
@@ -222,6 +222,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) { 
        return result;

    }



    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {

        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);

        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging

        return FAILED_TRANSACTION;

    }



    Mutex::Autolock lock(mMutex);



    sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);