C2SurfaceSyncObj: prevent OOB read in Import Prevent OOB read in C2SurfaceSyncObj::Import from libcodec2_vndk. Bug: 240140929 Test: Manual Change-Id: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c (cherry picked from commit 9b4f38105ad66615e811483f4927942b231c84b7) Merged-In: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c (cherry picked from commit e3958886dbdd65ac8020a4554c9e567f95a6d813) Merged-In: I7b4cd8aa3fa5b9b2160f0eba40a618b4dd536d5c

commit: b7f5c807b80ac60f166b8da2d96fdb0eefe32a41 [log] [tgz]
author: Sungtak Lee <taklee@google.com> Sun Dec 11 06:16:15 2022 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jan 12 19:06:47 2023 +0000
tree: b9058954a56a5c993fdd21501d1465c13161ce02
parent: 3ffde8ab6d3db6ff0e77f8a0211a0608ef5c0d9f [diff]
diff --git a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
index e55bdc0..bbbd03e 100644
--- a/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp
+++ b/media/codec2/vndk/platform/C2SurfaceSyncObj.cpp

@@ -64,6 +64,11 @@
     }
 
     HandleSyncMem *o = static_cast<HandleSyncMem*>(handle);
+    if (o->size() < sizeof(C2SyncVariables)) {
+        android_errorWriteLog(0x534e4554, "240140929");
+        return nullptr;
+    }
+
     void *ptr = mmap(NULL, o->size(), PROT_READ | PROT_WRITE, MAP_SHARED, o->memFd(), 0);
 
     if (ptr == MAP_FAILED) {
commit	b7f5c807b80ac60f166b8da2d96fdb0eefe32a41	[log] [tgz]
author	Sungtak Lee <taklee@google.com>	Sun Dec 11 06:16:15 2022 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Thu Jan 12 19:06:47 2023 +0000
tree	b9058954a56a5c993fdd21501d1465c13161ce02
parent	3ffde8ab6d3db6ff0e77f8a0211a0608ef5c0d9f [diff]