diff options
| author | Christopher Tate <ctate@google.com> | 2016-02-05 19:02:56 -0800 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-02-26 16:56:14 -0800 |
| commit | 25719f6e1f7e892df17b6f7eb4d6fc8c1fcc35f3 (patch) | |
| tree | a522a39ff80c6cc044e35dac300ab273fe427eb3 | |
| parent | b3a9e6d04da503026b33a66f276a7753dcc11a3b (diff) | |
| download | frameworks_native-25719f6e1f7e892df17b6f7eb4d6fc8c1fcc35f3.zip frameworks_native-25719f6e1f7e892df17b6f7eb4d6fc8c1fcc35f3.tar.gz frameworks_native-25719f6e1f7e892df17b6f7eb4d6fc8c1fcc35f3.tar.bz2 | |
Sanity check IMemory access versus underlying mmap
Bug 26877992
Change-Id: Ibbf4b1061e4675e4e96bc944a865b53eaf6984fe
| -rw-r--r-- | libs/binder/IMemory.cpp | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/libs/binder/IMemory.cpp b/libs/binder/IMemory.cpp index e9891a8..fb8d620 100644 --- a/libs/binder/IMemory.cpp +++ b/libs/binder/IMemory.cpp @@ -26,6 +26,7 @@ #include <sys/mman.h> #include <binder/IMemory.h> +#include <cutils/log.h> #include <utils/KeyedVector.h> #include <utils/threads.h> #include <utils/Atomic.h> @@ -187,15 +188,26 @@ sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const if (heap != 0) { mHeap = interface_cast<IMemoryHeap>(heap); if (mHeap != 0) { - mOffset = o; - mSize = s; + size_t heapSize = mHeap->getSize(); + if (s <= heapSize + && o >= 0 + && (static_cast<size_t>(o) <= heapSize - s)) { + mOffset = o; + mSize = s; + } else { + // Hm. + android_errorWriteWithInfoLog(0x534e4554, + "26877992", -1, NULL, 0); + mOffset = 0; + mSize = 0; + } } } } } if (offset) *offset = mOffset; if (size) *size = mSize; - return mHeap; + return (mSize > 0) ? mHeap : 0; } // --------------------------------------------------------------------------- |