Snap for 9133013 from d07ee2bceba5315a7cbb08a8f60acaddc894813d to tm-d4-releaseandroid-13.0.0_r48android-13.0.0_r47android-13.0.0_r46android13-d4-s2-releaseandroid13-d4-s1-releaseandroid13-d4-release

Change-Id: Ibf940a71d886c1bd24ae0e947eea87e82b6c4589

1 files changed, 8 insertions, 1 deletions

diff --git a/gralloc4/src/hidl_common/BufferDescriptor.h b/gralloc4/src/hidl_common/BufferDescriptor.h
index abaac62..0d93811 100644
--- a/gralloc4/src/hidl_common/BufferDescriptor.h
+++ b/gralloc4/src/hidl_common/BufferDescriptor.h
@@ -104,6 +104,7 @@ static uint64_t pop_descriptor_uint64(const hidl_vec<vecT> &vec, size_t *pos)
 	return val;
 }
 
+// There can only be one string at the end of the descriptor
 static void push_descriptor_string(hidl_vec<uint8_t> *vec, size_t *pos, const std::string &str)
 {
 	strcpy(reinterpret_cast<char *>(vec->data() + *pos), str.c_str());
@@ -155,12 +156,18 @@ static bool grallocDecodeBufferDescriptor(const hidl_vec<vecT> &androidDescripto
 	size_t pos = 0;
 
 	if (((DESCRIPTOR_32BIT_FIELDS * sizeof(uint32_t) / sizeof(vecT)) +
-	     (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) > androidDescriptor.size())
+	     (DESCRIPTOR_64BIT_FIELDS * sizeof(uint64_t) / sizeof(vecT))) +
+	     sizeof('\0') > androidDescriptor.size())
 	{
 		MALI_GRALLOC_LOGE("Descriptor is too small");
 		return false;
 	}
 
+	if (static_cast<char>(androidDescriptor[androidDescriptor.size() - 1]) != '\0') {
+		MALI_GRALLOC_LOGE("Descriptor does not contain an ending null character");
+		return false;
+	}
+
 	if (pop_descriptor_uint32(androidDescriptor, &pos) != HIDL_MAPPER_VERSION_SCALED / 10)
 	{
 		MALI_GRALLOC_LOGE("Corrupted buffer version in descriptor = %p, pid = %d ", &androidDescriptor, getpid());