diff options
author | Mike Lockwood <lockwood@google.com> | 2014-11-12 14:20:06 -0800 |
---|---|---|
committer | Mike Lockwood <lockwood@google.com> | 2014-11-12 16:08:37 -0800 |
commit | ab063847e6e893740749029a04cce1f6b7345ed5 (patch) | |
tree | 8b840e9152cfa638aa354a0379962a89914e0006 /media/mtp/MtpDevice.cpp | |
parent | 745602d87607521f4fe84c4f3a6388fbdb6a867c (diff) | |
download | frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.zip frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.gz frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.bz2 |
MTP: add strict bounds checking for all incoming packets
Previously we did not sanity check incoming MTP packets,
which could result in crashes due to reading off the edge of a packet.
Now all MTP packet getter functions return a boolean result
(true for OK, false for reading off the edge of the packet)
and we now return errors for malformed packets.
Bug: 18113092
Change-Id: Ic7623ee96f00652bdfb4f66acb16a93db5a1c105
Diffstat (limited to 'media/mtp/MtpDevice.cpp')
-rw-r--r-- | media/mtp/MtpDevice.cpp | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/media/mtp/MtpDevice.cpp b/media/mtp/MtpDevice.cpp index d6d5dd5..e0d679d 100644 --- a/media/mtp/MtpDevice.cpp +++ b/media/mtp/MtpDevice.cpp @@ -313,8 +313,10 @@ MtpDeviceInfo* MtpDevice::getDeviceInfo() { MtpResponseCode ret = readResponse(); if (ret == MTP_RESPONSE_OK) { MtpDeviceInfo* info = new MtpDeviceInfo; - info->read(mData); - return info; + if (info->read(mData)) + return info; + else + delete info; } return NULL; } @@ -346,8 +348,10 @@ MtpStorageInfo* MtpDevice::getStorageInfo(MtpStorageID storageID) { MtpResponseCode ret = readResponse(); if (ret == MTP_RESPONSE_OK) { MtpStorageInfo* info = new MtpStorageInfo(storageID); - info->read(mData); - return info; + if (info->read(mData)) + return info; + else + delete info; } return NULL; } @@ -385,8 +389,10 @@ MtpObjectInfo* MtpDevice::getObjectInfo(MtpObjectHandle handle) { MtpResponseCode ret = readResponse(); if (ret == MTP_RESPONSE_OK) { MtpObjectInfo* info = new MtpObjectInfo(handle); - info->read(mData); - return info; + if (info->read(mData)) + return info; + else + delete info; } return NULL; } @@ -547,8 +553,10 @@ MtpProperty* MtpDevice::getDevicePropDesc(MtpDeviceProperty code) { MtpResponseCode ret = readResponse(); if (ret == MTP_RESPONSE_OK) { MtpProperty* property = new MtpProperty; - property->read(mData); - return property; + if (property->read(mData)) + return property; + else + delete property; } return NULL; } @@ -566,15 +574,17 @@ MtpProperty* MtpDevice::getObjectPropDesc(MtpObjectProperty code, MtpObjectForma MtpResponseCode ret = readResponse(); if (ret == MTP_RESPONSE_OK) { MtpProperty* property = new MtpProperty; - property->read(mData); - return property; + if (property->read(mData)) + return property; + else + delete property; } return NULL; } bool MtpDevice::readObject(MtpObjectHandle handle, bool (* callback)(void* data, int offset, int length, void* clientData), - int objectSize, void* clientData) { + size_t objectSize, void* clientData) { Mutex::Autolock autoLock(mMutex); bool result = false; |