[automerge] C2SurfaceSyncObj: prevent OOB read in Import 2p: e3958886db Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/20758528 Bug: 240140929 Change-Id: If19fba3d4d051ee5a1ca6f9b5229afcc782b9e49 Merged-In: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c

commit: 8297258e633363bb25f34898543dcd7e193af66f [log] [tgz]
author: Sungtak Lee <taklee@google.com> Fri Dec 16 10:08:48 2022 +0000
committer: Presubmit Automerger Backend <android-build-presubmit-automerger-backend@system.gserviceaccount.com> Fri Dec 16 10:08:48 2022 +0000
tree: a33ca852fc8605d38fab9dcbf9903b8fb49e4d8a
parent: f4e746b09143b814b93fc54e79476cdb0de71484 [diff]
parent: e3958886dbdd65ac8020a4554c9e567f95a6d813 [diff]
diff --git a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
index e55bdc0..bbbd03e 100644
--- a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
+++ b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp

@@ -64,6 +64,11 @@
     }
 
     HandleSyncMem *o = static_cast<HandleSyncMem*>(handle);
+    if (o->size() < sizeof(C2SyncVariables)) {
+        android_errorWriteLog(0x534e4554, "240140929");
+        return nullptr;
+    }
+
     void *ptr = mmap(NULL, o->size(), PROT_READ | PROT_WRITE, MAP_SHARED, o->memFd(), 0);
 
     if (ptr == MAP_FAILED) {
commit	8297258e633363bb25f34898543dcd7e193af66f	[log] [tgz]
author	Sungtak Lee <taklee@google.com>	Fri Dec 16 10:08:48 2022 +0000
committer	Presubmit Automerger Backend <android-build-presubmit-automerger-backend@system.gserviceaccount.com>	Fri Dec 16 10:08:48 2022 +0000
tree	a33ca852fc8605d38fab9dcbf9903b8fb49e4d8a
parent	f4e746b09143b814b93fc54e79476cdb0de71484 [diff]
parent	e3958886dbdd65ac8020a4554c9e567f95a6d813 [diff]