commit cefa91bb5108c947afe69251ad2a4366e540a2aa
author Peng Xu <pengxu@google.com> Mon Jan 16 03:10:40 2017 -0800
committer Peng Xu <pengxu@google.com> Wed Jan 18 13:26:37 2017 -0800
tree e735331b90be9b5663c517d0c313cf761db7f4db
parent 5567177a41adac6d2520a6a0ac2b9edb9be65d60

[sensors] Add parameter check to poll()

Check maxCount parameter so that it will not allocate overly large
amount of memory if input parameter is bad.

Bug: 32953589
Test: build and pass vts
Change-Id: Ia19e0315ab1623b8b6580889c1e058a19e6c9670

sensors/1.0/ISensors.hal

diff --git a/sensors/1.0/ISensors.hal b/sensors/1.0/ISensors.hal
index c56da29..5c8301a 100644
--- a/sensors/1.0/ISensors.hal
+++ b/sensors/1.0/ISensors.hal
@@ -61,7 +61,9 @@
      * If there is no sensor event when this function is being called, block
      * until there are sensor events available.
      *
-     * @param  maxCount max number of samples can be returned.
+     * @param  maxCount max number of samples can be returned, must be > 0.
+     *         Actual number of events returned in data must be <= maxCount
+     *         and > 0.
      * @return result OK on success or BAD_VALUE if maxCount <= 0.
      * @return data vector of Event contains sensor events.
      * @return dynamicSensorsAdded vector of SensorInfo contains dynamic sensor

sensors/1.0/default/Sensors.cpp

diff --git a/sensors/1.0/default/Sensors.cpp b/sensors/1.0/default/Sensors.cpp
index 8903397..e4ef99d 100644
--- a/sensors/1.0/default/Sensors.cpp
+++ b/sensors/1.0/default/Sensors.cpp
@@ -151,12 +151,13 @@
         return Void();
     }
 
-    std::unique_ptr<sensors_event_t[]> data(new sensors_event_t[maxCount]);
+    int bufferSize = maxCount <= kPollMaxBufferSize ? maxCount : kPollMaxBufferSize;
+
+    std::unique_ptr<sensors_event_t[]> data(new sensors_event_t[bufferSize]);
 
     int err = mSensorDevice->poll(
             reinterpret_cast<sensors_poll_device_t *>(mSensorDevice),
-            data.get(),
-            maxCount);
+            data.get(), bufferSize);
 
     if (err < 0) {
         _hidl_cb(ResultFromStatus(err), out, dynamicSensorsAdded);

sensors/1.0/default/Sensors.h

diff --git a/sensors/1.0/default/Sensors.h b/sensors/1.0/default/Sensors.h
index e8bd98d..09729d3 100644
--- a/sensors/1.0/default/Sensors.h
+++ b/sensors/1.0/default/Sensors.h
@@ -27,6 +27,7 @@
 namespace V1_0 {
 namespace implementation {
 
+
 struct Sensors : public ::android::hardware::sensors::V1_0::ISensors {
     Sensors();
 
@@ -60,6 +61,7 @@
             configDirectReport_cb _hidl_cb) override;
 
 private:
+    static constexpr int32_t kPollMaxBufferSize = 128;
     status_t mInitCheck;
     sensors_module_t *mSensorModule;
     sensors_poll_device_1_t *mSensorDevice;