From 0a52509e8cdc6da93daab9c34fdbb63232fa8adf Mon Sep 17 00:00:00 2001
From: Ady Abraham <adyabr@google.com>
Date: Tue, 3 Mar 2020 12:51:24 -0800
Subject: ISurfaceComposer: boundary check input on CAPTURE_LAYERS

Add a sanity check on numExcludeHandles to make sure we don't cause
an overflow.

Test: adb shell /data/nativetest64/SurfaceFlinger_test/SurfaceFlinger_test
Fixes: 146435753
Change-Id: I2c700392727e2f4e0e434fb4c1800f2973c7418b
Merged-In: I2c700392727e2f4e0e434fb4c1800f2973c7418b
---
 libs/gui/ISurfaceComposer.cpp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libs/gui/ISurfaceComposer.cpp')

diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index ce41eaba1d..04c21a9e1d 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -1281,6 +1281,9 @@ status_t BnSurfaceComposer::onTransact(
 
             std::unordered_set<sp<IBinder>, SpHash<IBinder>> excludeHandles;
             int numExcludeHandles = data.readInt32();
+            if (numExcludeHandles >= static_cast<int>(MAX_LAYERS)) {
+                return BAD_VALUE;
+            }
             excludeHandles.reserve(numExcludeHandles);
             for (int i = 0; i < numExcludeHandles; i++) {
                 excludeHandles.emplace(data.readStrongBinder());
-- 
cgit v1.2.3-59-g8ed1b