diff options
| author | Ramakant Singh <ramaka@codeaurora.org> | 2017-05-16 12:49:56 +0530 |
|---|---|---|
| committer | Harry Youd <harry@harryyoud.co.uk> | 2018-01-18 19:06:28 +0000 |
| commit | 5fa137014de6404d1a1247641b551bb7805c26ba (patch) | |
| tree | 1e02b1ede687524eaf523d35e40974f2af4630b0 | |
| parent | 205428f75b90f0b7b34223d64cf0d3568d8dd72f (diff) | |
| download | hardware_qcom_display-cm-13.0-caf-8996.tar.gz hardware_qcom_display-cm-13.0-caf-8996.tar.bz2 hardware_qcom_display-cm-13.0-caf-8996.zip | |
cec: Calculate buffer length to protect from overflowHEADcm-13.0-caf-8996
Change-Id: I38b1e98ea5e1231a9cb3480b2f99a61dae957a25
CRs-Fixed: 2037019
CVE-2017-9689
| -rw-r--r-- | hdmi_cec/qhdmi_cec.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/hdmi_cec/qhdmi_cec.cpp b/hdmi_cec/qhdmi_cec.cpp index f84cf8097..0923d9227 100644 --- a/hdmi_cec/qhdmi_cec.cpp +++ b/hdmi_cec/qhdmi_cec.cpp @@ -1,5 +1,5 @@ /* -* Copyright (c) 2014, 2016, The Linux Foundation. All rights reserved. +* Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -296,8 +296,10 @@ void cec_receive_message(cec_context_t *ctx, char *msg, ssize_t len) event.cec.initiator = (cec_logical_address_t) msg[CEC_OFFSET_SENDER_ID]; event.cec.destination = (cec_logical_address_t) msg[CEC_OFFSET_RECEIVER_ID]; //Copy opcode and operand - memcpy(event.cec.body, &msg[CEC_OFFSET_OPCODE], event.cec.length); - hex_to_string((char *) event.cec.body, event.cec.length, dump); + size_t copy_size = event.cec.length > sizeof(event.cec.body) ? + sizeof(event.cec.body) : event.cec.length; + memcpy(event.cec.body, &msg[CEC_OFFSET_OPCODE],copy_size); + hex_to_string((char *) event.cec.body, copy_size, dump); ALOGD_IF(DEBUG, "%s: Message to framework: %s", __FUNCTION__, dump); ctx->callback.callback_func(&event, ctx->callback.callback_arg); } |