From e48cf5b8f823c30af93577c1e380d752ac69b871 Mon Sep 17 00:00:00 2001
From: Mike Lockwood <lockwood@google.com>
Date: Wed, 17 Dec 2014 12:22:36 -0800
Subject: Fix bounds checking for GetPartialObject command

GetPartialObject has only 3 arguments, whereas the 64 bit version takes 4.

Bug: 18786282
Change-Id: I4376962769ed0eae2f4991c2569244db22509204
---
 media/mtp/MtpServer.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'media/mtp')

diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp
index 931a09d..e4e16f2 100644
--- a/media/mtp/MtpServer.cpp
+++ b/media/mtp/MtpServer.cpp
@@ -819,18 +819,24 @@ MtpResponseCode MtpServer::doGetThumb() {
 MtpResponseCode MtpServer::doGetPartialObject(MtpOperationCode operation) {
     if (!hasStorage())
         return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
-    if (mRequest.getParameterCount() < 4)
-        return MTP_RESPONSE_INVALID_PARAMETER;
     MtpObjectHandle handle = mRequest.getParameter(1);
     uint64_t offset;
     uint32_t length;
     offset = mRequest.getParameter(2);
     if (operation == MTP_OPERATION_GET_PARTIAL_OBJECT_64) {
+        // MTP_OPERATION_GET_PARTIAL_OBJECT_64 takes 4 arguments
+        if (mRequest.getParameterCount() < 4)
+            return MTP_RESPONSE_INVALID_PARAMETER;
+
         // android extension with 64 bit offset
         uint64_t offset2 = mRequest.getParameter(3);
         offset = offset | (offset2 << 32);
         length = mRequest.getParameter(4);
     } else {
+        // MTP_OPERATION_GET_PARTIAL_OBJECT takes 3 arguments
+        if (mRequest.getParameterCount() < 3)
+            return MTP_RESPONSE_INVALID_PARAMETER;
+
         // standard GetPartialObject
         length = mRequest.getParameter(3);
     }
-- 
cgit v1.1