commit | ce7a476857997b615745b13adaa5465cf4bc6cfe | [log] [tgz] |
---|---|---|
author | Sungtak Lee <taklee@google.com> | Sun Dec 11 06:16:15 2022 +0000 |
committer | Cherrypicker Worker <android-build-cherrypicker-worker@google.com> | Fri Dec 16 10:08:26 2022 +0000 |
tree | 120ffa0fccba7806aece1cd1ce6b5c576919f632 | |
parent | 7e4fb4beed9c7eb6279542b98920ea50f91d11b1 [diff] |
C2SurfaceSyncObj: prevent OOB read in Import Prevent OOB read in C2SurfaceSyncObj::Import from libcodec2_vndk. Bug: 240140929 Test: Manual Change-Id: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c (cherry picked from commit 9b4f38105ad66615e811483f4927942b231c84b7) Merged-In: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c
diff --git a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp index 99bccac..bf4ca32 100644 --- a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp +++ b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
@@ -64,6 +64,11 @@ } HandleSyncMem *o = static_cast<HandleSyncMem*>(handle); + if (o->size() < sizeof(C2SyncVariables)) { + android_errorWriteLog(0x534e4554, "240140929"); + return nullptr; + } + void *ptr = mmap(NULL, o->size(), PROT_READ | PROT_WRITE, MAP_SHARED, o->memFd(), 0); if (ptr == MAP_FAILED) {