From 63bb1dbf33426c4c3efc4af578c635e57f75f491 Mon Sep 17 00:00:00 2001
From: Amit Mahajan <amitmahajan@google.com>
Date: Mon, 15 Aug 2016 09:06:34 -0700
Subject: Replace variable-length arrays on stack with malloc.

CYNGNOS-3286
Bug: 30202619
Change-Id: Ib95e08a1c009d88a4b4fd8d8fdba0641c6129008
(cherry picked from commit 943905bb9f99e3caa856b42c531e2be752da8834)
(cherry picked from commit 0c3aefae2e22846486937a0ff5de21b64f3a14b1)
(cherry picked from commit 9a7da975f78dbf52f0943376b4484d61c449196c)
---
 libril/RilSapSocket.cpp | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/libril/RilSapSocket.cpp b/libril/RilSapSocket.cpp
index e422f34..15476c1 100644
--- a/libril/RilSapSocket.cpp
+++ b/libril/RilSapSocket.cpp
@@ -343,7 +343,12 @@ void RilSapSocket::sendResponse(MsgHeader* hdr) {
     if ((success = pb_get_encoded_size(&encoded_size, MsgHeader_fields,
         hdr)) && encoded_size <= INT32_MAX && commandFd != -1) {
         buffer_size = encoded_size + sizeof(uint32_t);
-        uint8_t buffer[buffer_size];
+        uint8_t* buffer = (uint8_t*)malloc(buffer_size);
+        if (!buffer) {
+            RLOGE("sendResponse: OOM");
+            pthread_mutex_unlock(&write_lock);
+            return;
+        }
         written_size = htonl((uint32_t) encoded_size);
         ostream = pb_ostream_from_buffer(buffer, buffer_size);
         pb_write(&ostream, (uint8_t *)&written_size, sizeof(written_size));
@@ -365,6 +370,7 @@ void RilSapSocket::sendResponse(MsgHeader* hdr) {
             RLOGE("Error while encoding response of type %d id %d buffer_size: %d: %s.",
             hdr->type, hdr->id, buffer_size, PB_GET_ERROR(&ostream));
         }
+        free(buffer);
     } else {
     RLOGE("Not sending response type %d: encoded_size: %u. commandFd: %d. encoded size result: %d",
         hdr->type, encoded_size, commandFd, success);
@@ -436,7 +442,11 @@ void RilSapSocket::sendDisconnect() {
    if ((success = pb_get_encoded_size(&encoded_size, RIL_SIM_SAP_DISCONNECT_REQ_fields,
         &disconnectReq)) && encoded_size <= INT32_MAX) {
         buffer_size = encoded_size + sizeof(uint32_t);
-        uint8_t buffer[buffer_size];
+        uint8_t* buffer = (uint8_t*)malloc(buffer_size);
+        if (!buffer) {
+            RLOGE("sendDisconnect: OOM");
+            return;
+        }
         written_size = htonl((uint32_t) encoded_size);
         ostream = pb_ostream_from_buffer(buffer, buffer_size);
         pb_write(&ostream, (uint8_t *)&written_size, sizeof(written_size));
@@ -468,6 +478,7 @@ void RilSapSocket::sendDisconnect() {
         else {
             RLOGE("Encode failed in send disconnect!");
         }
+        free(buffer);
     }
 }
 
-- 
cgit v1.2.3