Merge cherrypicks of [4647037, 4647038, 4647883, 4647039, 4647933, 4648530, 4648550, 4648551, 4648552, 4648553, 4646931, 4646932, 4646933, 4646934, 4648391, 4647976, 4647977, 4647978, 4647526, 4646972, 4646935, 4646936, 4646937, 4646938, 4646939, 4646940, 4646941, 4648392, 4647509, 4648630, 4648631, 4647934] into pi-release-2
Change-Id: Ie8690bcc9e63cdb70ab81791244446a56ef46eb9
diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index d14887f..4f8d7c5 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp
@@ -19,6 +19,7 @@
#include <hidl/HidlBinderSupport.h>
// C includes
+#include <inttypes.h>
#include <unistd.h>
// C++ includes
@@ -66,6 +67,15 @@
parentOffset + hidl_memory::kOffsetOfName);
}
+ // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+ // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+ // but the mapped memory's actual size will be smaller than the reported size.
+ if (memory.size() > SIZE_MAX) {
+ ALOGE("Cannot use memory with %" PRId64 " bytes because it is too large.", memory.size());
+ android_errorWriteLog(0x534e4554, "79376389");
+ return BAD_VALUE;
+ }
+
return _hidl_err;
}
