From fd14e27b8997da6b453174af2af2e1cf66e01b5d Mon Sep 17 00:00:00 2001
From: Michael Butler <butlermichael@google.com>
Date: Mon, 27 Mar 2017 14:14:18 -0700
Subject: [PATCH] Fix RS HIDL server, pass data by bytes instead of by
 elements.

  Our current stack:
  API->API_TO_HAL_translator->HAL
          ->HAL_TO_Implementation_translator->Implementation

  For most APIs:
  - API passes objectCount.
  - HAL expects objectCount.
  - Implementation expects objectCount.

  For APIs like ScriptGroupCreate:
  - API passes byteCount. And unfortunately, these APIs are part of
    NDK, we could not make them also passing objectCount like others.
  - HAL expects objectCount.
  - Implementation expects byteCount.

  So that both API_TO_HAL_translator and
  HAL_TO_Implementation_translator should correctly convert input
  objectCount/byteCount to byteCount/objectCount.

  This CL only fixes the HAL_TO_Implementation_translator part,
  whereas aosp/356395 fixes the API_TO_HAL_translator part. Both
  parts were mistakenly using byteCount as objectCount, causing
  potential out-of-bound access.

Bug: 36404879
Test: mm on angler
Change-Id: I28541a8926aeafece40e2a3f664bda67e26a34a2
---
 renderscript/1.0/default/Context.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/renderscript/1.0/default/Context.cpp b/renderscript/1.0/default/Context.cpp
index ef17b46342..389b6e7bcb 100644
--- a/renderscript/1.0/default/Context.cpp
+++ b/renderscript/1.0/default/Context.cpp
@@ -63,7 +63,7 @@ Return<Allocation> Context::allocationAdapterCreate(Type type, Allocation baseAl
 Return<void> Context::allocationAdapterOffset(Allocation alloc, const hidl_vec<uint32_t>& offsets) {
     RsAllocation _alloc = hidl_to_rs<RsAllocation>(alloc);
     const hidl_vec<uint32_t>& _offsets = offsets;
-    Device::getHal().AllocationAdapterOffset(mContext, _alloc, _offsets.data(), _offsets.size());
+    Device::getHal().AllocationAdapterOffset(mContext, _alloc, _offsets.data(), _offsets.size() * sizeof(uint32_t));
     return Void();
 }
 
@@ -552,7 +552,7 @@ Return<ScriptGroup> Context::scriptGroupCreate(const hidl_vec<ScriptKernelID>& k
     std::vector<RsScriptKernelID> _dstK    = hidl_to_rs<RsScriptKernelID>(dstK,    [](ScriptFieldID val) { return hidl_to_rs<RsScriptKernelID>(val); });
     std::vector<RsScriptFieldID>  _dstF    = hidl_to_rs<RsScriptFieldID>(dstF,     [](ScriptFieldID val) { return hidl_to_rs<RsScriptFieldID>(val); });
     std::vector<RsType>           _types   = hidl_to_rs<RsType>(types,             [](Type val) { return hidl_to_rs<RsType>(val); });
-    RsScriptGroup _scriptGroup = Device::getHal().ScriptGroupCreate(mContext, _kernels.data(), _kernels.size(), _srcK.data(), _srcK.size(), _dstK.data(), _dstK.size(), _dstF.data(), _dstF.size(), _types.data(), _types.size());
+    RsScriptGroup _scriptGroup = Device::getHal().ScriptGroupCreate(mContext, _kernels.data(), _kernels.size() * sizeof(RsScriptKernelID), _srcK.data(), _srcK.size() * sizeof(RsScriptKernelID), _dstK.data(), _dstK.size() * sizeof(RsScriptKernelID), _dstF.data(), _dstF.size() * sizeof(RsScriptFieldID), _types.data(), _types.size() * sizeof(RsType));
     return rs_to_hidl<ScriptGroup>(_scriptGroup);
 }
 
@@ -725,7 +725,7 @@ Return<void> Context::scriptSetVarVE(Script vs, uint32_t slot, const hidl_vec<ui
     size_t _len = data.size();
     RsElement _ve = hidl_to_rs<RsElement>(ve);
     const uint32_t* _dimsPtr = dims.data();
-    size_t _dimLen = dims.size();
+    size_t _dimLen = dims.size() * sizeof(uint32_t);
     Device::getHal().ScriptSetVarVE(mContext, _vs, _slot, _dataPtr, _len, _ve, _dimsPtr, _dimLen);
     return Void();
 }