From cefa91bb5108c947afe69251ad2a4366e540a2aa Mon Sep 17 00:00:00 2001 From: Peng Xu Date: Mon, 16 Jan 2017 03:10:40 -0800 Subject: [PATCH] [sensors] Add parameter check to poll() Check maxCount parameter so that it will not allocate overly large amount of memory if input parameter is bad. Bug: 32953589 Test: build and pass vts Change-Id: Ia19e0315ab1623b8b6580889c1e058a19e6c9670 --- sensors/1.0/ISensors.hal | 4 +++- sensors/1.0/default/Sensors.cpp | 7 ++++--- sensors/1.0/default/Sensors.h | 2 ++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/sensors/1.0/ISensors.hal b/sensors/1.0/ISensors.hal index c56da29cf5..5c8301aa26 100644 --- a/sensors/1.0/ISensors.hal +++ b/sensors/1.0/ISensors.hal @@ -61,7 +61,9 @@ interface ISensors { * If there is no sensor event when this function is being called, block * until there are sensor events available. * - * @param maxCount max number of samples can be returned. + * @param maxCount max number of samples can be returned, must be > 0. + * Actual number of events returned in data must be <= maxCount + * and > 0. * @return result OK on success or BAD_VALUE if maxCount <= 0. * @return data vector of Event contains sensor events. * @return dynamicSensorsAdded vector of SensorInfo contains dynamic sensor diff --git a/sensors/1.0/default/Sensors.cpp b/sensors/1.0/default/Sensors.cpp index 8903397a2b..e4ef99db16 100644 --- a/sensors/1.0/default/Sensors.cpp +++ b/sensors/1.0/default/Sensors.cpp @@ -151,12 +151,13 @@ Return Sensors::poll(int32_t maxCount, poll_cb _hidl_cb) { return Void(); } - std::unique_ptr data(new sensors_event_t[maxCount]); + int bufferSize = maxCount <= kPollMaxBufferSize ? maxCount : kPollMaxBufferSize; + + std::unique_ptr data(new sensors_event_t[bufferSize]); int err = mSensorDevice->poll( reinterpret_cast(mSensorDevice), - data.get(), - maxCount); + data.get(), bufferSize); if (err < 0) { _hidl_cb(ResultFromStatus(err), out, dynamicSensorsAdded); diff --git a/sensors/1.0/default/Sensors.h b/sensors/1.0/default/Sensors.h index e8bd98dcfe..09729d39e6 100644 --- a/sensors/1.0/default/Sensors.h +++ b/sensors/1.0/default/Sensors.h @@ -27,6 +27,7 @@ namespace sensors { namespace V1_0 { namespace implementation { + struct Sensors : public ::android::hardware::sensors::V1_0::ISensors { Sensors(); @@ -60,6 +61,7 @@ struct Sensors : public ::android::hardware::sensors::V1_0::ISensors { configDirectReport_cb _hidl_cb) override; private: + static constexpr int32_t kPollMaxBufferSize = 128; status_t mInitCheck; sensors_module_t *mSensorModule; sensors_poll_device_1_t *mSensorDevice;