summaryrefslogtreecommitdiffstats
path: root/libs/gui/ISurfaceComposer.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'libs/gui/ISurfaceComposer.cpp')
-rw-r--r--libs/gui/ISurfaceComposer.cpp14
1 files changed, 12 insertions, 2 deletions
diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index 81e8336..ebb687a 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -312,19 +312,29 @@ status_t BnSurfaceComposer::onTransact(
case SET_TRANSACTION_STATE: {
CHECK_INTERFACE(ISurfaceComposer, data, reply);
size_t count = data.readInt32();
+ if (count > data.dataSize()) {
+ return BAD_VALUE;
+ }
ComposerState s;
Vector<ComposerState> state;
state.setCapacity(count);
for (size_t i=0 ; i<count ; i++) {
- s.read(data);
+ if (s.read(data) == BAD_VALUE) {
+ return BAD_VALUE;
+ }
state.add(s);
}
count = data.readInt32();
+ if (count > data.dataSize()) {
+ return BAD_VALUE;
+ }
DisplayState d;
Vector<DisplayState> displays;
displays.setCapacity(count);
for (size_t i=0 ; i<count ; i++) {
- d.read(data);
+ if (d.read(data) == BAD_VALUE) {
+ return BAD_VALUE;
+ }
displays.add(d);
}
uint32_t flags = data.readInt32();
generated by cgit v1.1 at 2025-01-23 18:08:27 +0000