summaryrefslogtreecommitdiff
path: root/libs
diff options
context:
space:
mode:
author Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2020-03-05 00:43:52 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2020-03-05 00:43:52 +0000
commit498d2f69aedcafd4f1eceb16e8e5780c3d72649e (patch)
tree878eeb5df40843257cb745d7fcd4abfd243ce005 /libs
parentc7b2ea04dc76818f7741eca14734bbb2d2a4b66e (diff)
parent29e122b35c30c811943453cfb718bf839a737f22 (diff)
Merge "ISurfaceComposer: boundary check input on CAPTURE_LAYERS" into rvc-dev am: 29e122b35c
Change-Id: I30ff402c2d20f03183b74f8db77784da6adf6460
Diffstat (limited to 'libs')
-rw-r--r--libs/gui/ISurfaceComposer.cpp3
-rw-r--r--libs/gui/include/gui/ISurfaceComposer.h2
2 files changed, 5 insertions, 0 deletions
diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index ce41eaba1d..04c21a9e1d 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -1281,6 +1281,9 @@ status_t BnSurfaceComposer::onTransact(
std::unordered_set<sp<IBinder>, SpHash<IBinder>> excludeHandles;
int numExcludeHandles = data.readInt32();
+ if (numExcludeHandles >= static_cast<int>(MAX_LAYERS)) {
+ return BAD_VALUE;
+ }
excludeHandles.reserve(numExcludeHandles);
for (int i = 0; i < numExcludeHandles; i++) {
excludeHandles.emplace(data.readStrongBinder());
diff --git a/libs/gui/include/gui/ISurfaceComposer.h b/libs/gui/include/gui/ISurfaceComposer.h
index 0659f0de06..09487eab8b 100644
--- a/libs/gui/include/gui/ISurfaceComposer.h
+++ b/libs/gui/include/gui/ISurfaceComposer.h
@@ -76,6 +76,8 @@ class ISurfaceComposer: public IInterface {
public:
DECLARE_META_INTERFACE(SurfaceComposer)
+ static constexpr size_t MAX_LAYERS = 4096;
+
// flags for setTransactionState()
enum {
eSynchronous = 0x01,
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2026-01-04 16:07:51 +0000