Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bdc293ac authored by Devin Moore's avatar Devin Moore
Browse files

ISensorServer: validate vector size before setCapacity 

If we don't check the size, we can run out of memory. Use the Parcel API
that knows about the binder transaction size limits.

Test: libsensorserviceaidl_fuzzer
Bug: none
Change-Id: I2d00e14e8c67e9899532577628c54e9a74f584d7
parent 653739c1

libs/sensor/ISensorServer.cpp

+24 −0
Original line number Diff line number Diff line
@@ -64,6 +64,14 @@ public: 
        Sensor s;

        Vector<Sensor> v;

        uint32_t n = reply.readUint32();

        // The size of the n Sensor elements on the wire is what we really want, but

        // this is better than nothing.

        if (n > reply.dataAvail()) {

            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "

                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",

                  n, reply.dataAvail());

            return v;

        }

        v.setCapacity(n);

        while (n) {

            n--;
@@ -86,6 +94,14 @@ public: 
        Sensor s;

        Vector<Sensor> v;

        uint32_t n = reply.readUint32();

        // The size of the n Sensor elements on the wire is what we really want, but

        // this is better than nothing.

        if (n > reply.dataAvail()) {

            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "

                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",

                  n, reply.dataAvail());

            return v;

        }

        v.setCapacity(n);

        while (n) {

            n--;
@@ -109,6 +125,14 @@ public: 
        Sensor s;

        Vector<Sensor> v;

        uint32_t n = reply.readUint32();

        // The size of the n Sensor elements on the wire is what we really want, but

        // this is better than nothing.

        if (n > reply.dataAvail()) {

            ALOGE("Failed to get a reasonable size of the sensor list. This is likely a "

                  "malformed reply parcel. Number of elements: %d, data available in reply: %zu",

                  n, reply.dataAvail());

            return v;

        }

        v.setCapacity(n);

        while (n) {

            n--;