From 59cea2616269f34b1f3d046995efd8da42cd5549 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 20 Apr 2015 11:08:59 -0700 Subject: Add some sanity checks Bug: 19400722 Change-Id: Ib3afdf73fd4647eeea5721c61c8b72dbba0647f6 --- media/libmedia/IMediaHTTPConnection.cpp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'media/libmedia/IMediaHTTPConnection.cpp') diff --git a/media/libmedia/IMediaHTTPConnection.cpp b/media/libmedia/IMediaHTTPConnection.cpp index 7e26ee6..a5a3714 100644 --- a/media/libmedia/IMediaHTTPConnection.cpp +++ b/media/libmedia/IMediaHTTPConnection.cpp @@ -24,6 +24,7 @@ #include #include #include +#include namespace android { @@ -106,11 +107,18 @@ struct BpMediaHTTPConnection : public BpInterface { return UNKNOWN_ERROR; } - int32_t len = reply.readInt32(); + size_t len = reply.readInt32(); - if (len > 0) { - memcpy(buffer, mMemory->pointer(), len); + if (len > size) { + ALOGE("requested %zu, got %zu", size, len); + return ERROR_OUT_OF_RANGE; } + if (len > mMemory->size()) { + ALOGE("got %zu, but memory has %zu", len, mMemory->size()); + return ERROR_OUT_OF_RANGE; + } + + memcpy(buffer, mMemory->pointer(), len); return len; } -- cgit v1.1