From d1c08b13d3ebd2555ee15c5fc87c103ba9df57cd Mon Sep 17 00:00:00 2001 From: Courtney Goeltzenleuchter Date: Thu, 24 May 2018 08:23:55 -0600 Subject: [PATCH] Fix Buffer Overflow in Vendor Service display.qservice Bug: 63145942 Test: adb shell vndservice call display.qservice 36 s16 sdlkfjsadlfkjasdf Change-Id: I3fdf5ccd2bf4ed0fa980883fefdb57eb5fbfeee7 (cherry picked from commit 4050091844ccd427587024e5fd916113a5cc0029) --- msm8996/sdm/libs/hwc2/hwc_session.cpp | 5 +++++ msm8998/sdm/libs/hwc2/hwc_session.cpp | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/msm8996/sdm/libs/hwc2/hwc_session.cpp b/msm8996/sdm/libs/hwc2/hwc_session.cpp index d12d758f..a0ff5254 100644 --- a/msm8996/sdm/libs/hwc2/hwc_session.cpp +++ b/msm8996/sdm/libs/hwc2/hwc_session.cpp @@ -1221,6 +1221,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ auto display = static_cast(input_parcel->readInt32()); auto mode = static_cast(input_parcel->readInt32()); auto device = static_cast(this); + + if (display > HWC_DISPLAY_VIRTUAL) { + return -EINVAL; + } + auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode); if (err != HWC2_ERROR_NONE) return -EINVAL; diff --git a/msm8998/sdm/libs/hwc2/hwc_session.cpp b/msm8998/sdm/libs/hwc2/hwc_session.cpp index a9c7e4e2..d58ce0f9 100644 --- a/msm8998/sdm/libs/hwc2/hwc_session.cpp +++ b/msm8998/sdm/libs/hwc2/hwc_session.cpp @@ -1250,6 +1250,11 @@ android::status_t HWCSession::SetColorModeOverride(const android::Parcel *input_ auto display = static_cast(input_parcel->readInt32()); auto mode = static_cast(input_parcel->readInt32()); auto device = static_cast(this); + + if (display > HWC_DISPLAY_VIRTUAL) { + return -EINVAL; + } + auto err = CallDisplayFunction(device, display, &HWCDisplay::SetColorMode, mode); if (err != HWC2_ERROR_NONE) return -EINVAL;