am 793fc0e1: Merge "Fix crash when user provides large values in the Parcel." into lmp-mr1-dev

* commit '793fc0e13d25bdecda1219999f8be2cb3c121d20': Fix crash when user provides large values in the Parcel.
author: Michael Lentine <mlentine@google.com> 2014-11-01 00:33:29 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2014-11-01 00:33:29 +0000
commit: 54430ca2a88f57c709ea2924ea0b78820ae62643 (patch)
tree: 307094d84f0206118616b6812982432811a2fce6 /libs
parent: 078794ed377e7080ee155a632482bb98f1c9ade7 (diff)
parent: 793fc0e13d25bdecda1219999f8be2cb3c121d20 (diff)
download: frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.zip
frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.tar.gz
frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.tar.bz2
2 files changed, 18 insertions, 4 deletions
diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index 81e8336..ebb687a 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
         case SET_TRANSACTION_STATE: {
             CHECK_INTERFACE(ISurfaceComposer, data, reply);
             size_t count = data.readInt32();
+            if (count > data.dataSize()) {
+                return BAD_VALUE;
+            }
             ComposerState s;
             Vector<ComposerState> state;
             state.setCapacity(count);
             for (size_t i=0 ; i<count ; i++) {
-                s.read(data);
+                if (s.read(data) == BAD_VALUE) {
+                    return BAD_VALUE;
+                }
                 state.add(s);
             }
             count = data.readInt32();
+            if (count > data.dataSize()) {
+                return BAD_VALUE;
+            }
             DisplayState d;
             Vector<DisplayState> displays;
             displays.setCapacity(count);
             for (size_t i=0 ; i<count ; i++) {
-                d.read(data);
+                if (d.read(data) == BAD_VALUE) {
+                    return BAD_VALUE;
+                }
                 displays.add(d);
             }
             uint32_t flags = data.readInt32();
diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp
index 9d3f116..39f8f92 100644
--- a/libs/gui/LayerState.cpp
+++ b/libs/gui/LayerState.cpp
@@ -55,8 +55,12 @@ status_t layer_state_t::read(const Parcel& input)
     alpha = input.readFloat();
     flags = input.readInt32();
     mask = input.readInt32();
-    matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(
-            input.readInplace(sizeof(layer_state_t::matrix22_t)));
+    const void* matrix_data = input.readInplace(sizeof(layer_state_t::matrix22_t));
+    if (matrix_data) {
+        matrix = *reinterpret_cast<layer_state_t::matrix22_t const *>(matrix_data);
+    } else {
+        return BAD_VALUE;
+    }
     input.read(crop);
     input.read(transparentRegion);
     return NO_ERROR;
author	Michael Lentine <mlentine@google.com>	2014-11-01 00:33:29 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2014-11-01 00:33:29 +0000
commit	54430ca2a88f57c709ea2924ea0b78820ae62643 (patch)
tree	307094d84f0206118616b6812982432811a2fce6 /libs
parent	078794ed377e7080ee155a632482bb98f1c9ade7 (diff)
parent	793fc0e13d25bdecda1219999f8be2cb3c121d20 (diff)
download	frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.zip frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.tar.gz frameworks_native-54430ca2a88f57c709ea2924ea0b78820ae62643.tar.bz2