From 2371bc8191fa18e5dc6807f1d7c64c4c87ba81c2 Mon Sep 17 00:00:00 2001
From: Paul Colta <donpaul@google.com>
Date: Mon, 15 May 2023 10:18:18 +0200
Subject: [PATCH] HDMICEC: Out of Bounds Write in sendMessage in HdmiCec.cpp

Bug: 278243594
Test: m && m android.hardware.tv.cec@1.0 && m android.hardware.tv.cec@1.0-service && atest VtsHalTvCecV1_0TargetTest
Change-Id: I2989f66f41172b345e3047218e138358c18b8644
---
 tv/cec/1.0/default/HdmiCec.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tv/cec/1.0/default/HdmiCec.cpp b/tv/cec/1.0/default/HdmiCec.cpp
index 74de785e81..f05f610d4c 100644
--- a/tv/cec/1.0/default/HdmiCec.cpp
+++ b/tv/cec/1.0/default/HdmiCec.cpp
@@ -307,6 +307,9 @@ Return<void> HdmiCec::getPhysicalAddress(getPhysicalAddress_cb _hidl_cb) {
 }
 
 Return<SendMessageResult> HdmiCec::sendMessage(const CecMessage& message) {
+    if (message.body.size() > CEC_MESSAGE_BODY_MAX_LENGTH) {
+        return SendMessageResult::FAIL;
+    }
     cec_message_t legacyMessage {
         .initiator = static_cast<cec_logical_address_t>(message.initiator),
         .destination = static_cast<cec_logical_address_t>(message.destination),