[HIDL composer] Verify key & value sizes are within the data size range
Sizes when invalid can cause OOB reads and causes the crash
Test: atest VtsHalGraphicsComposerV2_1TargetTest && atest VtsHalGraphicsComposerV2_2TargetTest && atest VtsHalGraphicsComposerV2_3TargetTest && atest VtsHalGraphicsComposerV2_4TargetTest
go/wm-smoke test
BUG: 252995613
Change-Id: I77e472851236eba2b8418034144c9cc8237c7143
diff --git a/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h b/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
index 499d3b9..336d15d 100644
--- a/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
+++ b/graphics/composer/2.1/utils/command-buffer/include/composer-command-buffer/2.1/ComposerCommandBuffer.h
@@ -679,6 +679,10 @@
uint32_t read() { return mData[mDataRead++]; }
+ bool isReadSizeValid(uint32_t size) const {
+ return mDataRead * sizeof(uint32_t) + size <= mDataSize;
+ }
+
int32_t readSigned() {
int32_t val;
memcpy(&val, &mData[mDataRead++], sizeof(val));
@@ -760,7 +764,7 @@
std::unique_ptr<uint32_t[]> mData;
uint32_t mDataRead;
- private:
+ private:
std::unique_ptr<CommandQueueType> mQueue;
uint32_t mDataMaxSize;
diff --git a/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h b/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
index 697d6b8..3b5ce5a 100644
--- a/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
+++ b/graphics/composer/2.4/utils/hal/include/composer-hal/2.4/ComposerCommandEngine.h
@@ -90,6 +90,9 @@
}
const uint32_t keySize = read();
+ if (!isReadSizeValid(keySize)) {
+ return false;
+ }
std::string key;
key.resize(keySize);
readBlob(keySize, key.data());
@@ -97,6 +100,9 @@
const bool mandatory = read();
const uint32_t valueSize = read();
+ if (!isReadSizeValid(valueSize)) {
+ return false;
+ }
std::vector<uint8_t> value(valueSize);
readBlob(valueSize, value.data());