diff options
author | Mike Lockwood <lockwood@google.com> | 2014-12-17 12:22:36 -0800 |
---|---|---|
committer | Mike Lockwood <lockwood@google.com> | 2014-12-17 12:22:36 -0800 |
commit | e48cf5b8f823c30af93577c1e380d752ac69b871 (patch) | |
tree | e4c28928702a1b75d4a67958bdccdca0d7e73c61 | |
parent | 145cf5d885c238b690ab8240137934327b85c427 (diff) | |
download | frameworks_av-e48cf5b8f823c30af93577c1e380d752ac69b871.tar.gz frameworks_av-e48cf5b8f823c30af93577c1e380d752ac69b871.tar.bz2 frameworks_av-e48cf5b8f823c30af93577c1e380d752ac69b871.zip |
Fix bounds checking for GetPartialObject command
GetPartialObject has only 3 arguments, whereas the 64 bit version takes 4.
Bug: 18786282
Change-Id: I4376962769ed0eae2f4991c2569244db22509204
-rw-r--r-- | media/mtp/MtpServer.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/media/mtp/MtpServer.cpp b/media/mtp/MtpServer.cpp index 931a09de65..e4e16f24df 100644 --- a/media/mtp/MtpServer.cpp +++ b/media/mtp/MtpServer.cpp @@ -819,18 +819,24 @@ MtpResponseCode MtpServer::doGetThumb() { MtpResponseCode MtpServer::doGetPartialObject(MtpOperationCode operation) { if (!hasStorage()) return MTP_RESPONSE_INVALID_OBJECT_HANDLE; - if (mRequest.getParameterCount() < 4) - return MTP_RESPONSE_INVALID_PARAMETER; MtpObjectHandle handle = mRequest.getParameter(1); uint64_t offset; uint32_t length; offset = mRequest.getParameter(2); if (operation == MTP_OPERATION_GET_PARTIAL_OBJECT_64) { + // MTP_OPERATION_GET_PARTIAL_OBJECT_64 takes 4 arguments + if (mRequest.getParameterCount() < 4) + return MTP_RESPONSE_INVALID_PARAMETER; + // android extension with 64 bit offset uint64_t offset2 = mRequest.getParameter(3); offset = offset | (offset2 << 32); length = mRequest.getParameter(4); } else { + // MTP_OPERATION_GET_PARTIAL_OBJECT takes 3 arguments + if (mRequest.getParameterCount() < 3) + return MTP_RESPONSE_INVALID_PARAMETER; + // standard GetPartialObject length = mRequest.getParameter(3); } |