OSDN Git Service

(root) / android-x86 / frameworks-native.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 85c7095)
libgui: Check slot received from IGBP in Surface
authorDan Stoza <stoza@google.com>
Mon, 1 May 2017 23:31:53 +0000 (16:31 -0700)
committerJP Sugarbroad <jpsugar@google.com>
Fri, 19 May 2017 07:29:35 +0000 (00:29 -0700)
Checks that the slot number received from mGraphicBufferProducer in
Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to
protect against a malicious BnGraphicBufferProducer.

Bug: 36991414
Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa
(cherry picked from commit 90ce2a9c1d3af422c66b4061805831cb208263d8)

libs/gui/Surface.cpp patch | blob | history

diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp
index 0838290..5a2ca8d 100644 (file)
--- a/libs/gui/Surface.cpp
+++ b/libs/gui/Surface.cpp
@@ -306,6 +306,12 @@ int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {
         return result;
     }
 
+    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
+        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
+        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
+        return FAILED_TRANSACTION;
+    }
+
     Mutex::Autolock lock(mMutex);
 
     sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);
frameworks/native
About OSDN
Find Software
Develop Software
Help