Merge sc-v2-dev-plus-aosp-without-vendor@8433047

Bug: 226662282
Merged-In: Ic05453615b61e1dfc60cdb33bc7ecce6e01a5d53
Change-Id: Ifd944bf314033a83d4b116bf0476532d72a3f36b

1 files changed, 18 insertions, 1 deletions

diff --git a/gralloc4/src/core/mali_gralloc_reference.cpp b/gralloc4/src/core/mali_gralloc_reference.cpp
index 954c2b3..b73c08b 100644
--- a/gralloc4/src/core/mali_gralloc_reference.cpp
+++ b/gralloc4/src/core/mali_gralloc_reference.cpp
@@ -76,6 +76,16 @@ private:
             return 0;
         }
 
+        for (auto i = 0; i < MAX_BUFFER_FDS; i++) {
+            auto size = get_buffer_size(hnd->fds[i]);
+            auto size_padding = size - (off_t)hnd->alloc_sizes[i];
+            if ((size != -1) && ((size_padding < 0) || (size_padding > PAGE_SIZE))){
+                MALI_GRALLOC_LOGE("Found an imported buffer with out-of-bounds size %" PRIu64 "",
+                                  hnd->alloc_sizes[i]);
+                return -EINVAL;
+            }
+        }
+
         int error = mali_gralloc_ion_map(hnd);
         if (error != 0) {
             return error;
@@ -115,7 +125,7 @@ private:
         } else {
             for (auto i = 0; i < MAX_BUFFER_FDS; i++) {
                 if (hnd->bases[i] != 0 || data.bases[i] != nullptr) {
-                    MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmaped buffer");
+                    MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmapped buffer");
                     return -EINVAL;
                 }
             }
@@ -124,6 +134,13 @@ private:
         return 0;
     }
 
+    off_t get_buffer_size(unsigned int fd) {
+        off_t current = lseek(fd, 0, SEEK_CUR);
+        off_t size = lseek(fd, 0, SEEK_END);
+        lseek(fd, current, SEEK_SET);
+        return size;
+    }
+
 public:
     static BufferManager &getInstance() {
         static BufferManager instance;