commit c7a880719e825288142452422d80fccd315b3807
author ramindani <ramindani@google.com> Fri May 26 23:40:02 2023 +0000
committer Ram Indani <ramindani@google.com> Wed May 31 23:00:53 2023 +0000
tree 371ad9c9087d983e238fa6899f1dbdfa620517c8
parent e6e7fdfda69c44f67a7ce4c20ff8937d5232d46e

[HIDL composer] Verify key & value sizes are within the data size range

Sizes when invalid can cause OOB reads and causes the crash

Test: atest VtsHalGraphicsComposerV2_1TargetTest && atest VtsHalGraphicsComposerV2_2TargetTest && atest VtsHalGraphicsComposerV2_3TargetTest && atest VtsHalGraphicsComposerV2_4TargetTest
go/wm-smoke test
BUG: 252995613

Change-Id: I77e472851236eba2b8418034144c9cc8237c7143

graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h

diff --git a/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h b/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
index 499d3b9..336d15d 100644
--- a/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
+++ b/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
@@ -679,6 +679,10 @@
 
     uint32_t read() { return mData[mDataRead++]; }
 
+    bool isReadSizeValid(uint32_t size) const {
+        return mDataRead * sizeof(uint32_t) + size <= mDataSize;
+    }
+
     int32_t readSigned() {
         int32_t val;
         memcpy(&val, &mData[mDataRead++], sizeof(val));
@@ -760,7 +764,7 @@
     std::unique_ptr<uint32_t[]> mData;
     uint32_t mDataRead;
 
-   private:
+  private:
     std::unique_ptr<CommandQueueType> mQueue;
     uint32_t mDataMaxSize;
 

graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h

diff --git a/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h b/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
index 697d6b8..3b5ce5a 100644
--- a/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
+++ b/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
@@ -90,6 +90,9 @@
         }
 
         const uint32_t keySize = read();
+        if (!isReadSizeValid(keySize)) {
+            return false;
+        }
         std::string key;
         key.resize(keySize);
         readBlob(keySize, key.data());
@@ -97,6 +100,9 @@
         const bool mandatory = read();
 
         const uint32_t valueSize = read();
+        if (!isReadSizeValid(valueSize)) {
+            return false;
+        }
         std::vector<uint8_t> value(valueSize);
         readBlob(valueSize, value.data());