commit 9d3eb357a2a3a64baa4824d550b5563b3dc0b15a
author Martijn Coenen <maco@google.com> Tue Apr 18 20:28:03 2017 -0700
committer Martijn Coenen <maco@google.com> Thu Apr 27 16:23:50 2017 -0700
tree 406f38b404c8a1eaaae2c712ee4f4bda7b6531dc
parent 08607dcb2119d45381579682f1531e487c9414ad

Validate incoming data properly.

readEmbeddedBuffer() now requires the correct length
of the buffer as an argument.

Modified the readEmbeddedFromParcel() functions to take
a const-reference to the struct the data is embedded in;
the kernel has already fixed up the pointers, we just need
to verify the buffer has the correct size, parent buffer
and offset within that parent buffer.

Bug: 30498700
Test: hidl_test, hidl_test_java, YouTube, Maps, Netflix, Camera
Change-Id: I44d6ca7ef6f252f8154b03ff9914b7db69c70604
Merged-In: I44d6ca7ef6f252f8154b03ff9914b7db69c70604

transport/include/hidl/HidlBinderSupport.h

diff --git a/transport/include/hidl/HidlBinderSupport.h b/transport/include/hidl/HidlBinderSupport.h
index 454656c..a82f977 100644
--- a/transport/include/hidl/HidlBinderSupport.h
+++ b/transport/include/hidl/HidlBinderSupport.h
@@ -60,7 +60,7 @@
 
 // ---------------------- hidl_memory
 
-status_t readEmbeddedFromParcel(hidl_memory *memory,
+status_t readEmbeddedFromParcel(const hidl_memory &memory,
         const Parcel &parcel, size_t parentHandle, size_t parentOffset);
 
 status_t writeEmbeddedToParcel(const hidl_memory &memory,
@@ -68,7 +68,7 @@
 
 // ---------------------- hidl_string
 
-status_t readEmbeddedFromParcel(hidl_string *string,
+status_t readEmbeddedFromParcel(const hidl_string &string,
         const Parcel &parcel, size_t parentHandle, size_t parentOffset);
 
 status_t writeEmbeddedToParcel(const hidl_string &string,
@@ -92,13 +92,14 @@
 
 template<typename T>
 status_t readEmbeddedFromParcel(
-        hidl_vec<T> * /*vec*/,
+        const hidl_vec<T> &vec,
         const Parcel &parcel,
         size_t parentHandle,
         size_t parentOffset,
         size_t *handle) {
     const void *out;
     return parcel.readNullableEmbeddedBuffer(
+            vec.size() * sizeof(T),
             handle,
             parentHandle,
             parentOffset + hidl_vec<T>::kOffsetOfBuffer,
@@ -129,7 +130,7 @@
 
 template<typename T, MQFlavor flavor>
 ::android::status_t readEmbeddedFromParcel(
-        MQDescriptor<T, flavor> *obj,
+        MQDescriptor<T, flavor> &obj,
         const ::android::hardware::Parcel &parcel,
         size_t parentHandle,
         size_t parentOffset) {
@@ -138,7 +139,7 @@
     size_t _hidl_grantors_child;
 
     _hidl_err = ::android::hardware::readEmbeddedFromParcel(
-                &obj->grantors(),
+                obj.grantors(),
                 parcel,
                 parentHandle,
                 parentOffset + MQDescriptor<T, flavor>::kOffsetOfGrantors,