commit 70e25ee65c039438071c2c07fa6858d4275a8474
author Arthur Ishiguro <arthuri@google.com> Fri Jun 12 11:27:18 2020 -0700
committer Arthur Ishiguro <arthuri@google.com> Mon Jun 15 15:24:49 2020 +0000
tree 16faf1e1ca568ef7876b28def429b76a3558d0b6
parent ad6212964826e31ef4468c2f15b4dfdd7a220a49

Fix unchecked size in ISensorServer code

Bug: 128919198
Test: adb shell service call sensorservice  6 i32 1 i32 1 i32 -1, verify no crash
Change-Id: I1db27d2ea579172cd35c0f05d2875efebb64a429

libs/sensor/ISensorServer.cpp

diff --git a/libs/sensor/ISensorServer.cpp b/libs/sensor/ISensorServer.cpp
index 8ed09f8..a6b0aaf 100644
--- a/libs/sensor/ISensorServer.cpp
+++ b/libs/sensor/ISensorServer.cpp
@@ -216,14 +216,25 @@
             int32_t type;
             Vector<float> floats;
             Vector<int32_t> ints;
+            uint32_t count;
 
             handle = data.readInt32();
             type = data.readInt32();
-            floats.resize(data.readUint32());
+
+            count = data.readUint32();
+            if (count > (data.dataAvail() / sizeof(float))) {
+              return BAD_VALUE;
+            }
+            floats.resize(count);
             for (auto &i : floats) {
                 i = data.readFloat();
             }
-            ints.resize(data.readUint32());
+
+            count = data.readUint32();
+            if (count > (data.dataAvail() / sizeof(int32_t))) {
+              return BAD_VALUE;
+            }
+            ints.resize(count);
             for (auto &i : ints) {
                 i = data.readInt32();
             }