ISurfaceComposer: boundary check input on CAPTURE_LAYERS
Add a sanity check on numExcludeHandles to make sure we don't cause
an overflow.
Test: adb shell /data/nativetest64/SurfaceFlinger_test/SurfaceFlinger_test
Fixes: 146435753
Change-Id: I2c700392727e2f4e0e434fb4c1800f2973c7418b
Merged-In: I2c700392727e2f4e0e434fb4c1800f2973c7418b
diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 27bd53c..385a093 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -367,7 +367,7 @@
property_get("ro.sf.blurs_are_expensive", value, "0");
mBlursAreExpensive = atoi(value);
- const size_t defaultListSize = MAX_LAYERS;
+ const size_t defaultListSize = ISurfaceComposer::MAX_LAYERS;
auto listSize = property_get_int32("debug.sf.max_igbp_list_size", int32_t(defaultListSize));
mMaxGraphicBufferProducerListSize = (listSize > 0) ? size_t(listSize) : defaultListSize;
@@ -3066,9 +3066,9 @@
parent = parentLayer;
}
- if (mNumLayers >= MAX_LAYERS) {
+ if (mNumLayers >= ISurfaceComposer::MAX_LAYERS) {
ALOGE("AddClientLayer failed, mNumLayers (%zu) >= MAX_LAYERS (%zu)", mNumLayers.load(),
- MAX_LAYERS);
+ ISurfaceComposer::MAX_LAYERS);
return NO_MEMORY;
}