commit 1791d9bfabcb3ec06bfd61f0818f89b726bc1426
author Michael Butler <butlermichael@google.com> Mon Mar 27 14:14:18 2017 -0700
committer Michael Butler <butlermichael@google.com> Wed Mar 29 17:42:33 2017 -0700
tree 2e21f414c66a6990baa9a4c10e29694ddcb56b64
parent bf0f670580c9428a2fd8777644d70a0e1519cbfa

Fix RS HIDL server, pass data by bytes instead of by elements.

  Our current stack:
  API->API_TO_HAL_translator->HAL
          ->HAL_TO_Implementation_translator->Implementation

  For most APIs:
  - API passes objectCount.
  - HAL expects objectCount.
  - Implementation expects objectCount.

  For APIs like ScriptGroupCreate:
  - API passes byteCount. And unfortunately, these APIs are part of
    NDK, we could not make them also passing objectCount like others.
  - HAL expects objectCount.
  - Implementation expects byteCount.

  So that both API_TO_HAL_translator and
  HAL_TO_Implementation_translator should correctly convert input
  objectCount/byteCount to byteCount/objectCount.

  This CL only fixes the HAL_TO_Implementation_translator part,
  whereas aosp/356395 fixes the API_TO_HAL_translator part. Both
  parts were mistakenly using byteCount as objectCount, causing
  potential out-of-bound access.

Bug: 36404879
Test: mm on angler
Change-Id: I28541a8926aeafece40e2a3f664bda67e26a34a2
(cherry picked from commit fd14e27b8997da6b453174af2af2e1cf66e01b5d)

renderscript/1.0/default/Context.cpp

diff --git a/renderscript/1.0/default/Context.cpp b/renderscript/1.0/default/Context.cpp
index ef17b463..389b6e7 100644
--- a/renderscript/1.0/default/Context.cpp
+++ b/renderscript/1.0/default/Context.cpp
@@ -63,7 +63,7 @@
 Return<void> Context::allocationAdapterOffset(Allocation alloc, const hidl_vec<uint32_t>& offsets) {
     RsAllocation _alloc = hidl_to_rs<RsAllocation>(alloc);
     const hidl_vec<uint32_t>& _offsets = offsets;
-    Device::getHal().AllocationAdapterOffset(mContext, _alloc, _offsets.data(), _offsets.size());
+    Device::getHal().AllocationAdapterOffset(mContext, _alloc, _offsets.data(), _offsets.size() * sizeof(uint32_t));
     return Void();
 }
 
@@ -552,7 +552,7 @@
     std::vector<RsScriptKernelID> _dstK    = hidl_to_rs<RsScriptKernelID>(dstK,    [](ScriptFieldID val) { return hidl_to_rs<RsScriptKernelID>(val); });
     std::vector<RsScriptFieldID>  _dstF    = hidl_to_rs<RsScriptFieldID>(dstF,     [](ScriptFieldID val) { return hidl_to_rs<RsScriptFieldID>(val); });
     std::vector<RsType>           _types   = hidl_to_rs<RsType>(types,             [](Type val) { return hidl_to_rs<RsType>(val); });
-    RsScriptGroup _scriptGroup = Device::getHal().ScriptGroupCreate(mContext, _kernels.data(), _kernels.size(), _srcK.data(), _srcK.size(), _dstK.data(), _dstK.size(), _dstF.data(), _dstF.size(), _types.data(), _types.size());
+    RsScriptGroup _scriptGroup = Device::getHal().ScriptGroupCreate(mContext, _kernels.data(), _kernels.size() * sizeof(RsScriptKernelID), _srcK.data(), _srcK.size() * sizeof(RsScriptKernelID), _dstK.data(), _dstK.size() * sizeof(RsScriptKernelID), _dstF.data(), _dstF.size() * sizeof(RsScriptFieldID), _types.data(), _types.size() * sizeof(RsType));
     return rs_to_hidl<ScriptGroup>(_scriptGroup);
 }
 
@@ -725,7 +725,7 @@
     size_t _len = data.size();
     RsElement _ve = hidl_to_rs<RsElement>(ve);
     const uint32_t* _dimsPtr = dims.data();
-    size_t _dimLen = dims.size();
+    size_t _dimLen = dims.size() * sizeof(uint32_t);
     Device::getHal().ScriptSetVarVE(mContext, _vs, _slot, _dataPtr, _len, _ve, _dimsPtr, _dimLen);
     return Void();
 }