HDMICEC: Out of Bounds Write in sendMessage in HdmiCec.cpp Bug: 278243594 Test: m && m android.hardware.tv.cec@1.0 && m android.hardware.tv.cec@1.0-service && atest VtsHalTvCecV1_0TargetTest Change-Id: I2989f66f41172b345e3047218e138358c18b8644 (cherry picked from commit 2371bc8191fa18e5dc6807f1d7c64c4c87ba81c2)

commit: a93bdd057828d0f29707a378d7a4de259be74839 [log] [tgz]
author: Paul Colta <donpaul@google.com> Mon May 15 10:18:18 2023 +0200
committer: Paul Colța <donpaul@google.com> Thu Jun 01 07:52:40 2023 +0000
tree: 07b5ecabc7524d140595f753f2e2e4b2da1c6f4a
parent: d6976527741b997ad2c70a6a312de35b3fb5d868 [diff]
diff --git a/tv/cec/1.0/default/HdmiCec.cpp b/tv/cec/1.0/default/HdmiCec.cpp
index 74de785..f05f610 100644
--- a/tv/cec/1.0/default/HdmiCec.cpp
+++ b/tv/cec/1.0/default/HdmiCec.cpp

@@ -307,6 +307,9 @@
 }
 
 Return<SendMessageResult> HdmiCec::sendMessage(const CecMessage& message) {
+    if (message.body.size() > CEC_MESSAGE_BODY_MAX_LENGTH) {
+        return SendMessageResult::FAIL;
+    }
     cec_message_t legacyMessage {
         .initiator = static_cast<cec_logical_address_t>(message.initiator),
         .destination = static_cast<cec_logical_address_t>(message.destination),
commit	a93bdd057828d0f29707a378d7a4de259be74839	[log] [tgz]
author	Paul Colta <donpaul@google.com>	Mon May 15 10:18:18 2023 +0200
committer	Paul Colța <donpaul@google.com>	Thu Jun 01 07:52:40 2023 +0000
tree	07b5ecabc7524d140595f753f2e2e4b2da1c6f4a
parent	d6976527741b997ad2c70a6a312de35b3fb5d868 [diff]