diff options
author | Michael Butler <butlermichael@google.com> | 2022-12-01 17:50:37 -0800 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-12-08 04:02:46 +0000 |
commit | 67cba779dbd5286213df6803b9908ed726e63c3e (patch) | |
tree | 1817a8bba7557b12f95cf7f5cc65b059c92e07d3 | |
parent | e53b7764f026d1c129493f0a8bd34b5b6766c355 (diff) | |
download | ml-67cba779dbd5286213df6803b9908ed726e63c3e.tar.gz |
Add additional bounds checks to NNAPI FMQ deserialize utility functions
This CL adds the following additional bounds checks:
* Adds additional checks of the index of the std::vector before
accessing the element at the index
* Changes the array index operator [] to the checked std::vector::at
method
Bug: 256589724
Test: mma
Merged-In: I3461c9e33b64e7d44bb3b430c8eb00d794669037
Change-Id: I3461c9e33b64e7d44bb3b430c8eb00d794669037
(cherry picked from commit 9e2f454205a4959c731cc586958d52b7e86285cd)
Merged-In: I3461c9e33b64e7d44bb3b430c8eb00d794669037
-rw-r--r-- | nn/common/ExecutionBurstController.cpp | 20 | ||||
-rw-r--r-- | nn/common/ExecutionBurstServer.cpp | 36 |
2 files changed, 33 insertions, 23 deletions
diff --git a/nn/common/ExecutionBurstController.cpp b/nn/common/ExecutionBurstController.cpp index 55ef9ad29..b0d815290 100644 --- a/nn/common/ExecutionBurstController.cpp +++ b/nn/common/ExecutionBurstController.cpp @@ -143,13 +143,14 @@ std::optional<std::tuple<ErrorStatus, std::vector<OutputShape>, Timing>> deseria size_t index = 0; // validate packet information - if (data.size() == 0 || data[index].getDiscriminator() != discriminator::packetInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::packetInformation) { LOG(ERROR) << "FMQ Result packet ill-formed"; return std::nullopt; } // unpackage packet information - const FmqResultDatum::PacketInformation& packetInfo = data[index].packetInformation(); + const FmqResultDatum::PacketInformation& packetInfo = data.at(index).packetInformation(); index++; const uint32_t packetSize = packetInfo.packetSize; const ErrorStatus errorStatus = packetInfo.errorStatus; @@ -164,13 +165,14 @@ std::optional<std::tuple<ErrorStatus, std::vector<OutputShape>, Timing>> deseria // unpackage operands for (size_t operand = 0; operand < numberOfOperands; ++operand) { // validate operand information - if (data[index].getDiscriminator() != discriminator::operandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::operandInformation) { LOG(ERROR) << "FMQ Result packet ill-formed"; return std::nullopt; } // unpackage operand information - const FmqResultDatum::OperandInformation& operandInfo = data[index].operandInformation(); + const FmqResultDatum::OperandInformation& operandInfo = data.at(index).operandInformation(); index++; const bool isSufficient = operandInfo.isSufficient; const uint32_t numberOfDimensions = operandInfo.numberOfDimensions; @@ -180,13 +182,14 @@ std::optional<std::tuple<ErrorStatus, std::vector<OutputShape>, Timing>> deseria dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::operandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::operandDimensionValue) { LOG(ERROR) << "FMQ Result packet ill-formed"; return std::nullopt; } // unpackage dimension - const uint32_t dimension = data[index].operandDimensionValue(); + const uint32_t dimension = data.at(index).operandDimensionValue(); index++; // store result @@ -198,13 +201,14 @@ std::optional<std::tuple<ErrorStatus, std::vector<OutputShape>, Timing>> deseria } // validate execution timing - if (data[index].getDiscriminator() != discriminator::executionTiming) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::executionTiming) { LOG(ERROR) << "FMQ Result packet ill-formed"; return std::nullopt; } // unpackage execution timing - const Timing timing = data[index].executionTiming(); + const Timing timing = data.at(index).executionTiming(); index++; // validate packet information diff --git a/nn/common/ExecutionBurstServer.cpp b/nn/common/ExecutionBurstServer.cpp index 96bc4323d..5c4d9cb19 100644 --- a/nn/common/ExecutionBurstServer.cpp +++ b/nn/common/ExecutionBurstServer.cpp @@ -153,13 +153,14 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial size_t index = 0; // validate packet information - if (data.size() == 0 || data[index].getDiscriminator() != discriminator::packetInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::packetInformation) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage packet information - const FmqRequestDatum::PacketInformation& packetInfo = data[index].packetInformation(); + const FmqRequestDatum::PacketInformation& packetInfo = data.at(index).packetInformation(); index++; const uint32_t packetSize = packetInfo.packetSize; const uint32_t numberOfInputOperands = packetInfo.numberOfInputOperands; @@ -177,14 +178,15 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial inputs.reserve(numberOfInputOperands); for (size_t operand = 0; operand < numberOfInputOperands; ++operand) { // validate input operand information - if (data[index].getDiscriminator() != discriminator::inputOperandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::inputOperandInformation) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage operand information const FmqRequestDatum::OperandInformation& operandInfo = - data[index].inputOperandInformation(); + data.at(index).inputOperandInformation(); index++; const bool hasNoValue = operandInfo.hasNoValue; const DataLocation location = operandInfo.location; @@ -195,13 +197,14 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::inputOperandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::inputOperandDimensionValue) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage dimension - const uint32_t dimension = data[index].inputOperandDimensionValue(); + const uint32_t dimension = data.at(index).inputOperandDimensionValue(); index++; // store result @@ -218,14 +221,15 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial outputs.reserve(numberOfOutputOperands); for (size_t operand = 0; operand < numberOfOutputOperands; ++operand) { // validate output operand information - if (data[index].getDiscriminator() != discriminator::outputOperandInformation) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::outputOperandInformation) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage operand information const FmqRequestDatum::OperandInformation& operandInfo = - data[index].outputOperandInformation(); + data.at(index).outputOperandInformation(); index++; const bool hasNoValue = operandInfo.hasNoValue; const DataLocation location = operandInfo.location; @@ -236,13 +240,14 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial dimensions.reserve(numberOfDimensions); for (size_t i = 0; i < numberOfDimensions; ++i) { // validate dimension - if (data[index].getDiscriminator() != discriminator::outputOperandDimensionValue) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::outputOperandDimensionValue) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage dimension - const uint32_t dimension = data[index].outputOperandDimensionValue(); + const uint32_t dimension = data.at(index).outputOperandDimensionValue(); index++; // store result @@ -259,13 +264,14 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial slots.reserve(numberOfPools); for (size_t pool = 0; pool < numberOfPools; ++pool) { // validate input operand information - if (data[index].getDiscriminator() != discriminator::poolIdentifier) { + if (index >= data.size() || + data.at(index).getDiscriminator() != discriminator::poolIdentifier) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage operand information - const int32_t poolId = data[index].poolIdentifier(); + const int32_t poolId = data.at(index).poolIdentifier(); index++; // store result @@ -273,18 +279,18 @@ std::optional<std::tuple<Request, std::vector<int32_t>, MeasureTiming>> deserial } // validate measureTiming - if (data[index].getDiscriminator() != discriminator::measureTiming) { + if (index >= data.size() || data.at(index).getDiscriminator() != discriminator::measureTiming) { LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } // unpackage measureTiming - const MeasureTiming measure = data[index].measureTiming(); + const MeasureTiming measure = data.at(index).measureTiming(); index++; // validate packet information if (index != packetSize) { - LOG(ERROR) << "FMQ Result packet ill-formed"; + LOG(ERROR) << "FMQ Request packet ill-formed"; return std::nullopt; } |