[automerger skipped] graphics.common V3 -> V4 am: 03103f0f88 am: 7ab64eba85 -s ours
am skip reason: Merged-In Ia43a22d7fe0647d26c368d2490952e1ba5c35262 with SHA-1 4f8bfb49a3 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/google/gchips/+/2292016
Change-Id: Ifc14192a9157201db549d1db8beafb17e6957db3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/gralloc4/src/hidl_common/BufferDescriptor.h b/gralloc4/src/hidl_common/BufferDescriptor.h
index abaac62..0d93811 100644
--- a/gralloc4/src/hidl_common/BufferDescriptor.h
+++ b/gralloc4/src/hidl_common/BufferDescriptor.h
@@ -104,6 +104,7 @@
return val;
}
+// There can only be one string at the end of the descriptor
static void push_descriptor_string(hidl_vec<uint8_t> *vec, size_t *pos, const std::string &str)
{
strcpy(reinterpret_cast<char *>(vec->data() + *pos), str.c_str());
@@ -155,12 +156,18 @@
size_t pos = 0;
if (((DESCRIPTOR_32BIT_FIELDS * sizeof(uint32_t) / sizeof(vecT)) +
- (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) > androidDescriptor.size())
+ (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) +
+ sizeof('\0') > androidDescriptor.size())
{
MALI_GRALLOC_LOGE("Descriptor is too small");
return false;
}
+ if (static_cast<char>(androidDescriptor[androidDescriptor.size() - 1]) != '\0') {
+ MALI_GRALLOC_LOGE("Descriptor does not contain an ending null character");
+ return false;
+ }
+
if (pop_descriptor_uint32(androidDescriptor, &pos) != HIDL_MAPPER_VERSION_SCALED / 10)
{
MALI_GRALLOC_LOGE("Corrupted buffer version in descriptor = %p, pid = %d ", &androidDescriptor, getpid());
