hidl_memory: fail on transfer if size > SIZE_MAX am: 45f69c6a44 am: 55ffe8a4d9android-9.0.0_r33android-9.0.0_r32android-9.0.0_r31android-9.0.0_r30android-9.0.0_r22android-9.0.0_r21android-9.0.0_r20android-9.0.0_r19android-9.0.0_r16pie-qpr1-s3-releasepie-qpr1-s2-releasepie-qpr1-s1-releasepie-qpr1-releasepie-dr1-dev

am: d97d2321b0

Change-Id: I27e15521bf8d27df69ffe4e144b38d895c85e803

1 files changed, 10 insertions, 0 deletions

diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index d14887f..4f8d7c5 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp
@@ -19,6 +19,7 @@
 #include <hidl/HidlBinderSupport.h>
 
 // C includes
+#include <inttypes.h>
 #include <unistd.h>
 
 // C++ includes
@@ -66,6 +67,15 @@ status_t readEmbeddedFromParcel(const hidl_memory& memory,
                 parentOffset + hidl_memory::kOffsetOfName);
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        ALOGE("Cannot use memory with %" PRId64 " bytes because it is too large.", memory.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return BAD_VALUE;
+    }
+
     return _hidl_err;
 }