Replace variable-length arrays on stack with malloc.
Bug: 30202619
Change-Id: Ib95e08a1c009d88a4b4fd8d8fdba0641c6129008
(cherry picked from commit 943905bb9f99e3caa856b42c531e2be752da8834)
diff --git a/libril/RilSapSocket.cpp b/libril/RilSapSocket.cpp
index 19457f4..32d383e 100644
--- a/libril/RilSapSocket.cpp
+++ b/libril/RilSapSocket.cpp
@@ -344,7 +344,12 @@
if ((success = pb_get_encoded_size(&encoded_size, MsgHeader_fields,
hdr)) && encoded_size <= INT32_MAX && commandFd != -1) {
buffer_size = encoded_size + sizeof(uint32_t);
- uint8_t buffer[buffer_size];
+ uint8_t* buffer = (uint8_t*)malloc(buffer_size);
+ if (!buffer) {
+ RLOGE("sendResponse: OOM");
+ pthread_mutex_unlock(&write_lock);
+ return;
+ }
written_size = htonl((uint32_t) encoded_size);
ostream = pb_ostream_from_buffer(buffer, buffer_size);
pb_write(&ostream, (uint8_t *)&written_size, sizeof(written_size));
@@ -366,6 +371,7 @@
RLOGE("Error while encoding response of type %d id %d buffer_size: %d: %s.",
hdr->type, hdr->id, buffer_size, PB_GET_ERROR(&ostream));
}
+ free(buffer);
} else {
RLOGE("Not sending response type %d: encoded_size: %u. commandFd: %d. encoded size result: %d",
hdr->type, encoded_size, commandFd, success);
@@ -437,7 +443,11 @@
if ((success = pb_get_encoded_size(&encoded_size, RIL_SIM_SAP_DISCONNECT_REQ_fields,
&disconnectReq)) && encoded_size <= INT32_MAX) {
buffer_size = encoded_size + sizeof(uint32_t);
- uint8_t buffer[buffer_size];
+ uint8_t* buffer = (uint8_t*)malloc(buffer_size);
+ if (!buffer) {
+ RLOGE("sendDisconnect: OOM");
+ return;
+ }
written_size = htonl((uint32_t) encoded_size);
ostream = pb_ostream_from_buffer(buffer, buffer_size);
pb_write(&ostream, (uint8_t *)&written_size, sizeof(written_size));
@@ -469,6 +479,7 @@
else {
RLOGE("Encode failed in send disconnect!");
}
+ free(buffer);
}
}