diff options
| author | Mike Lockwood <lockwood@google.com> | 2014-11-12 14:20:06 -0800 |
|---|---|---|
| committer | Mike Lockwood <lockwood@google.com> | 2014-11-12 16:08:37 -0800 |
| commit | ab063847e6e893740749029a04cce1f6b7345ed5 (patch) | |
| tree | 8b840e9152cfa638aa354a0379962a89914e0006 /media/mtp/MtpObjectInfo.cpp | |
| parent | 745602d87607521f4fe84c4f3a6388fbdb6a867c (diff) | |
| download | frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.zip frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.gz frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.bz2 | |
MTP: add strict bounds checking for all incoming packets
Previously we did not sanity check incoming MTP packets,
which could result in crashes due to reading off the edge of a packet.
Now all MTP packet getter functions return a boolean result
(true for OK, false for reading off the edge of the packet)
and we now return errors for malformed packets.
Bug: 18113092
Change-Id: Ic7623ee96f00652bdfb4f66acb16a93db5a1c105
Diffstat (limited to 'media/mtp/MtpObjectInfo.cpp')
| -rw-r--r-- | media/mtp/MtpObjectInfo.cpp | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/media/mtp/MtpObjectInfo.cpp b/media/mtp/MtpObjectInfo.cpp index cd15343..0573104 100644 --- a/media/mtp/MtpObjectInfo.cpp +++ b/media/mtp/MtpObjectInfo.cpp @@ -55,39 +55,41 @@ MtpObjectInfo::~MtpObjectInfo() { free(mKeywords); } -void MtpObjectInfo::read(MtpDataPacket& packet) { +bool MtpObjectInfo::read(MtpDataPacket& packet) { MtpStringBuffer string; time_t time; - mStorageID = packet.getUInt32(); - mFormat = packet.getUInt16(); - mProtectionStatus = packet.getUInt16(); - mCompressedSize = packet.getUInt32(); - mThumbFormat = packet.getUInt16(); - mThumbCompressedSize = packet.getUInt32(); - mThumbPixWidth = packet.getUInt32(); - mThumbPixHeight = packet.getUInt32(); - mImagePixWidth = packet.getUInt32(); - mImagePixHeight = packet.getUInt32(); - mImagePixDepth = packet.getUInt32(); - mParent = packet.getUInt32(); - mAssociationType = packet.getUInt16(); - mAssociationDesc = packet.getUInt32(); - mSequenceNumber = packet.getUInt32(); + if (!packet.getUInt32(mStorageID)) return false; + if (!packet.getUInt16(mFormat)) return false; + if (!packet.getUInt16(mProtectionStatus)) return false; + if (!packet.getUInt32(mCompressedSize)) return false; + if (!packet.getUInt16(mThumbFormat)) return false; + if (!packet.getUInt32(mThumbCompressedSize)) return false; + if (!packet.getUInt32(mThumbPixWidth)) return false; + if (!packet.getUInt32(mThumbPixHeight)) return false; + if (!packet.getUInt32(mImagePixWidth)) return false; + if (!packet.getUInt32(mImagePixHeight)) return false; + if (!packet.getUInt32(mImagePixDepth)) return false; + if (!packet.getUInt32(mParent)) return false; + if (!packet.getUInt16(mAssociationType)) return false; + if (!packet.getUInt32(mAssociationDesc)) return false; + if (!packet.getUInt32(mSequenceNumber)) return false; - packet.getString(string); + if (!packet.getString(string)) return false; mName = strdup((const char *)string); - packet.getString(string); + if (!packet.getString(string)) return false; if (parseDateTime((const char*)string, time)) mDateCreated = time; - packet.getString(string); + if (!packet.getString(string)) return false; if (parseDateTime((const char*)string, time)) mDateModified = time; - packet.getString(string); + if (!packet.getString(string)) return false; mKeywords = strdup((const char *)string); + + return true; } void MtpObjectInfo::print() { |