C2SurfaceSyncObj: prevent OOB read in Import am: 7470a6a17a Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/20758529 Change-Id: Ie154d56c2074fe8efbbf835393e6dff0cbc1eb7b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: bfa01566584cc4047d8ef5d59300e2d8bf93be4b [log] [tgz]
author: Sungtak Lee <taklee@google.com> Wed Dec 21 02:26:25 2022 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Dec 21 02:26:25 2022 +0000
tree: e4acdce246c4895c8a0a4c984df016b40f07f940
parent: 2738b965ecb503b4fa71611794e1d91c9cb7d1d1 [diff]
parent: 7470a6a17a61f2ea732325a910fd49a67dd2f9c8 [diff]
diff --git a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
index 2115cc3..6be4d09 100644
--- a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
+++ b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp

@@ -64,6 +64,11 @@
     }
 
     HandleSyncMem *o = static_cast<HandleSyncMem*>(handle);
+    if (o->size() < sizeof(C2SyncVariables)) {
+        android_errorWriteLog(0x534e4554, "240140929");
+        return nullptr;
+    }
+
     void *ptr = mmap(NULL, o->size(), PROT_READ | PROT_WRITE, MAP_SHARED, o->memFd(), 0);
 
     if (ptr == MAP_FAILED) {
commit	bfa01566584cc4047d8ef5d59300e2d8bf93be4b	[log] [tgz]
author	Sungtak Lee <taklee@google.com>	Wed Dec 21 02:26:25 2022 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Wed Dec 21 02:26:25 2022 +0000
tree	e4acdce246c4895c8a0a4c984df016b40f07f940
parent	2738b965ecb503b4fa71611794e1d91c9cb7d1d1 [diff]
parent	7470a6a17a61f2ea732325a910fd49a67dd2f9c8 [diff]