libgui: Check slot received from IGBP in Surface Checks that the slot number received from mGraphicBufferProducer in Surface::dequeueBuffer is on the interval [0, NUM_BUFFER_SLOTS) to protect against a malicious BnGraphicBufferProducer. Bug: 36991414 Change-Id: I1a76fd1bcce1c558f1c0c30f03638278288ed4fa

commit: ac93b3a30e97a441d01e8e25b33ec6840aa3f59b [log] [tgz]
author: Dan Stoza <stoza@google.com> Mon May 01 16:31:53 2017 -0700
committer: Dan Stoza <stoza@google.com> Mon May 01 16:31:53 2017 -0700
tree: f0fa95a56615001f3503140457b6471c98f98e5b
parent: 2ae83f4f628d4da96f363d0668380ba1f753b867 [diff]
diff --git a/libs/gui/Surface.cpp b/libs/gui/Surface.cpp
index 27dbc4e..637527b 100644
--- a/libs/gui/Surface.cpp
+++ b/libs/gui/Surface.cpp

@@ -191,6 +191,13 @@
              result);
         return result;
     }
+
+    if (buf < 0 || buf >= NUM_BUFFER_SLOTS) {
+        ALOGE("dequeueBuffer: IGraphicBufferProducer returned invalid slot number %d", buf);
+        android_errorWriteLog(0x534e4554, "36991414"); // SafetyNet logging
+        return FAILED_TRANSACTION;
+    }
+
     sp<GraphicBuffer>& gbuf(mSlots[buf].buffer);
 
     // this should never happen
commit	ac93b3a30e97a441d01e8e25b33ec6840aa3f59b	[log] [tgz]
author	Dan Stoza <stoza@google.com>	Mon May 01 16:31:53 2017 -0700
committer	Dan Stoza <stoza@google.com>	Mon May 01 16:31:53 2017 -0700
tree	f0fa95a56615001f3503140457b6471c98f98e5b
parent	2ae83f4f628d4da96f363d0668380ba1f753b867 [diff]