summaryrefslogtreecommitdiff
path: root/gralloc4/src
diff options
context:
space:
mode:
Diffstat (limited to 'gralloc4/src')
-rw-r--r--gralloc4/src/hidl_common/BufferDescriptor.h9
1 files changed, 8 insertions, 1 deletions
diff --git a/gralloc4/src/hidl_common/BufferDescriptor.h b/gralloc4/src/hidl_common/BufferDescriptor.h
index abaac62..0d93811 100644
--- a/gralloc4/src/hidl_common/BufferDescriptor.h
+++ b/gralloc4/src/hidl_common/BufferDescriptor.h
@@ -104,6 +104,7 @@ static uint64_t pop_descriptor_uint64(const hidl_vec<vecT> &vec, size_t *pos)
return val;
}
+// There can only be one string at the end of the descriptor
static void push_descriptor_string(hidl_vec<uint8_t> *vec, size_t *pos, const std::string &str)
{
strcpy(reinterpret_cast<char *>(vec->data() + *pos), str.c_str());
@@ -155,12 +156,18 @@ static bool grallocDecodeBufferDescriptor(const hidl_vec<vecT> &androidDescripto
size_t pos = 0;
if (((DESCRIPTOR_32BIT_FIELDS * sizeof(uint32_t) / sizeof(vecT)) +
- (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) > androidDescriptor.size())
+ (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) +
+ sizeof('\0') > androidDescriptor.size())
{
MALI_GRALLOC_LOGE("Descriptor is too small");
return false;
}
+ if (static_cast<char>(androidDescriptor[androidDescriptor.size() - 1]) != '\0') {
+ MALI_GRALLOC_LOGE("Descriptor does not contain an ending null character");
+ return false;
+ }
+
if (pop_descriptor_uint32(androidDescriptor, &pos) != HIDL_MAPPER_VERSION_SCALED / 10)
{
MALI_GRALLOC_LOGE("Corrupted buffer version in descriptor = %p, pid = %d ", &androidDescriptor, getpid());
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 13:28:08 +0000