Merge tag 'AUDIO.LA.8.0.r1-10100-KAILUA.0' into staging/lineage-21.0_merge-AUDIO.LA.8.0.r1-10100-KAILUA.0
AUDIO.LA.8.0.r1-10100-KAILUA.0
# By Partha Pratim Barman
# Via Gerrit - the friendly Code Review server (1) and others
* tag 'AUDIO.LA.8.0.r1-10100-KAILUA.0':
ipc: HWBinders: Add check for OOB read and sanitize value of size.
Change-Id: I3c6f9ea9977a4365f6c373d043834e4bbb07b1bd
diff --git a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
index aa640c4..c98ce8c 100644
--- a/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
+++ b/ipc/HwBinders/agm_ipc_service/src/agm_server_wrapper.cpp
@@ -28,7 +28,7 @@
* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Changes from Qualcomm Innovation Center are provided under the following license:
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted (subject to the limitations in the
@@ -1643,18 +1643,26 @@
buf.addr = nullptr;
buf.metadata = nullptr;
- bufSize = buff_hidl.data()->size;
+ if (1 != buff_hidl.size()) {
+ ALOGE("%s: buff_hidl size is not equal to 1.", __func__);
+ goto exit;
+ }
+ bufSize = buff_hidl[0].size;
buf.addr = (uint8_t *)calloc(1, bufSize);
if (!buf.addr) {
ALOGE("%s: failed to calloc", __func__);
goto exit;
}
+ if (bufSize != buff_hidl[0].buffer.size()) {
+ ALOGE("%s: Invalid buffer vector size", __func__);
+ goto exit;
+ }
buf.size = (size_t)bufSize;
- buf.timestamp = buff_hidl.data()->timestamp;
- buf.flags = buff_hidl.data()->flags;
+ buf.timestamp = buff_hidl[0].timestamp;
+ buf.flags = buff_hidl[0].flags;
if (bufSize)
- memcpy(buf.addr, buff_hidl.data()->buffer.data(), bufSize);
+ memcpy(buf.addr, buff_hidl[0].buffer.data(), bufSize);
else {
ALOGE("%s: buf size is null", __func__);
goto exit;