Google Git
Sign in
android/platform/packages/modules/NeuralNetworks/2bffd7f5e66dd0cf7e5668fb65c4f2b2e9f87cf7^!/.
commit
2bffd7f5e66dd0cf7e5668fb65c4f2b2e9f87cf7
[log]
author
Przemysław Szczepaniak <pszczepaniak@google.com>
Mon Mar 13 14:38:28 2023 +0000
committer
Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Thu Jun 08 20:34:43 2023 +0000
tree
0a10917fa10721a8923ca524ec4ab32282386c77
parent
fc3117e0d8bad19c08b38078f17f58293dd4f3ef [diff]
Fix OOB Read in setOperandValue

Bug: 269456018
Test: Run the POC
(cherry picked from https://android-review.googlesource.com/q/commit:c45bdb6ac47bf8cf2853144e82910f43f2f0b1e9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d81dcf032155c2967f613629bb67f629f835636)
Merged-In: I7325d56a380f05753356875623a2b5eaba3ca578
Change-Id: I7325d56a380f05753356875623a2b5eaba3ca578

diff --git a/shim_and_sl/ShimConverter.cpp b/shim_and_sl/ShimConverter.cpp
index 2cbdc09..1ed0e31 100644
--- a/shim_and_sl/ShimConverter.cpp
+++ b/shim_and_sl/ShimConverter.cpp

@@ -128,6 +128,12 @@
 
         switch (operand.lifetime) {
             case OperandLifeTime::CONSTANT_COPY: {
+                if (operand.location.length + operand.location.offset >
+                    model.operandValues.size()) {
+                    *errorStatus = ErrorStatus::INVALID_ARGUMENT;
+                    return nullptr;
+                }
+
                 if (operand.location.length <=
                     ANEURALNETWORKS_MAX_SIZE_OF_IMMEDIATELY_COPIED_VALUES) {
                     resultModel.setOperandValue(