From caee7cd3f678e840f808e8545614d0465f8bc963 Mon Sep 17 00:00:00 2001
From: ramindani <ramindani@google.com>
Date: Thu, 25 May 2023 22:07:04 +0000
Subject: [PATCH] [VTS 2.3] Add length check before reading blob

Adding a length check prevents the read() from
reading outside the bounds and prevents OOB crash.

Test: atest VtsHalGraphicsComposerV2_3TargetTest && atest VtsHalGraphicsComposerV2_4TargetTest
BUG: 252764300
Change-Id: I6231e340a925127f9c32ccb76768286f7292df58
Merged-In: I6231e340a925127f9c32ccb76768286f7292df58
---
 .../utils/hal/include/composer-hal/2.3/ComposerCommandEngine.h  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/graphics/composer/2.3/utils/hal/include/composer-hal/2.3/ComposerCommandEngine.h b/graphics/composer/2.3/utils/hal/include/composer-hal/2.3/ComposerCommandEngine.h
index f1d61f84c2..42996dd4b6 100644
--- a/graphics/composer/2.3/utils/hal/include/composer-hal/2.3/ComposerCommandEngine.h
+++ b/graphics/composer/2.3/utils/hal/include/composer-hal/2.3/ComposerCommandEngine.h
@@ -82,7 +82,7 @@ class ComposerCommandEngine : public V2_2::hal::ComposerCommandEngine {
 
         std::vector<IComposerClient::PerFrameMetadataBlob> metadata;
 
-        for (size_t i = 0; i < numBlobs; i++) {
+        for (size_t i = 0; i < numBlobs && length >= 2; i++) {
             IComposerClient::PerFrameMetadataKey key =
                 static_cast<IComposerClient::PerFrameMetadataKey>(readSigned());
             uint32_t blobSize = read();