commit b89ca7d6611e594d50fb709339395b65a9fd1267
author Ady Abraham <adyabr@google.com> Wed Mar 04 11:19:37 2020 -0800
committer Ady Abraham <adyabr@google.com> Wed Mar 04 11:19:37 2020 -0800
tree 21858bd0f3dbc764a553073508e6d5a428c10dac
parent 09bea90a93d4d0ff8f7d34de233544f3b764f5c1

ISurfaceComposer: boundary check input on CAPTURE_LAYERS

Add a sanity check on numExcludeHandles to make sure we don't cause
an overflow.

Test: adb shell /data/nativetest64/SurfaceFlinger_test/SurfaceFlinger_test
Fixes: 146435753
Change-Id: I2c700392727e2f4e0e434fb4c1800f2973c7418b

libs/gui/ISurfaceComposer.cpp

diff --git a/libs/gui/ISurfaceComposer.cpp b/libs/gui/ISurfaceComposer.cpp
index ce41eab..04c21a9 100644
--- a/libs/gui/ISurfaceComposer.cpp
+++ b/libs/gui/ISurfaceComposer.cpp
@@ -1281,6 +1281,9 @@
 
             std::unordered_set<sp<IBinder>, SpHash<IBinder>> excludeHandles;
             int numExcludeHandles = data.readInt32();
+            if (numExcludeHandles >= static_cast<int>(MAX_LAYERS)) {
+                return BAD_VALUE;
+            }
             excludeHandles.reserve(numExcludeHandles);
             for (int i = 0; i < numExcludeHandles; i++) {
                 excludeHandles.emplace(data.readStrongBinder());

libs/gui/include/gui/ISurfaceComposer.h

diff --git a/libs/gui/include/gui/ISurfaceComposer.h b/libs/gui/include/gui/ISurfaceComposer.h
index 0659f0d..09487ea 100644
--- a/libs/gui/include/gui/ISurfaceComposer.h
+++ b/libs/gui/include/gui/ISurfaceComposer.h
@@ -76,6 +76,8 @@
 public:
     DECLARE_META_INTERFACE(SurfaceComposer)
 
+    static constexpr size_t MAX_LAYERS = 4096;
+
     // flags for setTransactionState()
     enum {
         eSynchronous = 0x01,