summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Brian Duddie <bduddie@google.com> 2018-03-10 01:57:28 +0000
committer android-build-merger <android-build-merger@google.com> 2018-03-10 01:57:28 +0000
commit9f58afcc4af83526f63a58c6be08bc64488aabd7 (patch)
treef1aa6ddc80bc3f92d5a97db3779821e2270a932a
parentbeffd020f974f8b689a28c9f9e1353376bd22fa2 (diff)
parent0eb4624b33aeb375ae431a6b1e2b787c959968fe (diff)
Add bounds check to sensors direct channel creation
am: 0eb4624b33 Change-Id: I903acbba3c3ca5513b43419246bf277c013a7f8c
Diffstat
-rw-r--r--services/sensorservice/SensorService.cpp8
1 files changed, 7 insertions, 1 deletions
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 62c2756d2f..89943f75f9 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -21,6 +21,7 @@
#include <cutils/properties.h>
#include <hardware/sensors.h>
#include <hardware_legacy/power.h>
+#include <log/log.h>
#include <openssl/digest.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
@@ -987,10 +988,15 @@ sp<ISensorEventConnection> SensorService::createSensorDirectConnection(
// check specific to memory type
switch(type) {
case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem
+ if (resource->numFds < 1) {
+ ALOGE("Ashmem direct channel requires a memory region to be supplied");
+ android_errorWriteLog(0x534e4554, "70986337"); // SafetyNet
+ return nullptr;
+ }
int fd = resource->data[0];
int size2 = ashmem_get_size_region(fd);
// check size consistency
- if (size2 < static_cast<int>(size)) {
+ if (size2 < static_cast<int64_t>(size)) {
ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",
size, size2);
return nullptr;
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2026-01-07 19:29:06 +0000