commit c95871363dec9147478c16cb3fa2c13c2b5e2db2
author Howard Chen <howardsoc@google.com> Thu Aug 02 19:38:21 2018 -0700
committer android-build-merger <android-build-merger@google.com> Thu Aug 02 19:38:21 2018 -0700
tree 41ca49447bbf4f9e8a21be54971752baeef94fc1
parent a61dc08b73fa0f5107e616e830108a23e08cde95
parent b6efbffc7921b0ecdb6634161d7e8da03bcbcb19

Merge "Fix IMemoryBlock::validRange(),read(),update()" am: 642a9a3024
am: b6efbffc79

Change-Id: I331b985b64d377658714b9425a6ccfaacba938ce

transport/HidlBinderSupport.cpp

diff --git a/transport/HidlBinderSupport.cpp b/transport/HidlBinderSupport.cpp
index cd05c3d..d522590 100644
--- a/transport/HidlBinderSupport.cpp
+++ b/transport/HidlBinderSupport.cpp
@@ -21,6 +21,7 @@
 #include <InternalStatic.h>  // TODO(b/69122224): remove this include, for getOrCreateCachedBinder
 
 // C includes
+#include <inttypes.h>
 #include <unistd.h>
 
 // C++ includes
@@ -93,6 +94,15 @@
                 parentOffset + hidl_memory::kOffsetOfName);
     }
 
+    // hidl_memory's size is stored in uint64_t, but mapMemory's mmap will map
+    // size in size_t. If size is over SIZE_MAX, mapMemory could succeed
+    // but the mapped memory's actual size will be smaller than the reported size.
+    if (memory.size() > SIZE_MAX) {
+        ALOGE("Cannot use memory with %" PRId64 " bytes because it is too large.", memory.size());
+        android_errorWriteLog(0x534e4554, "79376389");
+        return BAD_VALUE;
+    }
+
     return _hidl_err;
 }