gralloc1: Check input addresses for null
Change-Id: Iddfcc07e50d3503a69b3604e5bd7f025f2b20534
CRs-Fixed: 2114346
diff --git a/libgralloc1/gr_buf_mgr.cpp b/libgralloc1/gr_buf_mgr.cpp
index 59afe19..146d3a3 100644
--- a/libgralloc1/gr_buf_mgr.cpp
+++ b/libgralloc1/gr_buf_mgr.cpp
@@ -540,6 +540,10 @@
int format = va_arg(args, int);
native_handle_t **handle = va_arg(args, native_handle_t **);
+ if (!handle) {
+ return GRALLOC1_ERROR_BAD_HANDLE;
+ }
+
private_handle_t *hnd = reinterpret_cast<private_handle_t *>(
native_handle_create(private_handle_t::kNumFds, private_handle_t::NumInts()));
if (hnd) {
@@ -549,7 +553,7 @@
hnd->flags = private_handle_t::PRIV_FLAGS_USES_ION;
hnd->size = size;
hnd->offset = offset;
- hnd->base = uint64_t(base) + offset;
+ hnd->base = uint64_t(base);
hnd->gpuaddr = 0;
BufferInfo info(width, height, format);
GetAlignedWidthAndHeight(info, &alignedw, &alignedh);
@@ -567,6 +571,11 @@
int format = va_arg(args, int);
int *stride = va_arg(args, int *);
unsigned int alignedw = 0, alignedh = 0;
+
+ if (!stride) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
BufferInfo info(width, width, format);
GetAlignedWidthAndHeight(info, &alignedw, &alignedh);
*stride = INT(alignedw);
@@ -579,6 +588,10 @@
return GRALLOC1_ERROR_BAD_HANDLE;
}
+ if (!stride) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
BufferDim_t buffer_dim;
if (getMetaData(hnd, GET_BUFFER_GEOMETRY, &buffer_dim) == 0) {
*stride = buffer_dim.sliceWidth;
@@ -596,6 +609,10 @@
return GRALLOC1_ERROR_BAD_HANDLE;
}
+ if (!stride || !height) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
BufferDim_t buffer_dim;
int interlaced = 0;
@@ -631,6 +648,10 @@
int *aligned_width = va_arg(args, int *);
int *aligned_height = va_arg(args, int *);
int *tile_enabled = va_arg(args, int *);
+ if (!aligned_width || !aligned_height || !tile_enabled) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
unsigned int alignedw, alignedh;
BufferInfo info(width, height, format, prod_usage, cons_usage);
*tile_enabled = IsUBwcEnabled(format, prod_usage, cons_usage);
@@ -642,9 +663,15 @@
case GRALLOC_MODULE_PERFORM_GET_COLOR_SPACE_FROM_HANDLE: {
private_handle_t *hnd = va_arg(args, private_handle_t *);
int *color_space = va_arg(args, int *);
+
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+
+ if (!color_space) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
*color_space = 0;
#ifdef USE_COLOR_METADATA
ColorMetaData color_metadata;
@@ -676,6 +703,11 @@
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+
+ if (!ycbcr) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
if (GetYUVPlaneInfo(hnd, ycbcr)) {
return GRALLOC1_ERROR_UNDEFINED;
}
@@ -684,10 +716,15 @@
case GRALLOC_MODULE_PERFORM_GET_MAP_SECURE_BUFFER_INFO: {
private_handle_t *hnd = va_arg(args, private_handle_t *);
int *map_secure_buffer = va_arg(args, int *);
+
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+ if (!map_secure_buffer) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
if (getMetaData(hnd, GET_MAP_SECURE_BUFFER, map_secure_buffer) == 0) {
*map_secure_buffer = 0;
}
@@ -696,9 +733,15 @@
case GRALLOC_MODULE_PERFORM_GET_UBWC_FLAG: {
private_handle_t *hnd = va_arg(args, private_handle_t *);
int *flag = va_arg(args, int *);
+
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+
+ if (!flag) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
*flag = hnd->flags &private_handle_t::PRIV_FLAGS_UBWC_ALIGNED;
int linear_format = 0;
if (getMetaData(hnd, GET_LINEAR_FORMAT, &linear_format) == 0) {
@@ -711,9 +754,15 @@
case GRALLOC_MODULE_PERFORM_GET_RGB_DATA_ADDRESS: {
private_handle_t *hnd = va_arg(args, private_handle_t *);
void **rgb_data = va_arg(args, void **);
+
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+
+ if (!rgb_data) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
if (GetRgbDataAddress(hnd, rgb_data)) {
return GRALLOC1_ERROR_UNDEFINED;
}
@@ -730,6 +779,11 @@
uint32_t *aligned_width = va_arg(args, uint32_t *);
uint32_t *aligned_height = va_arg(args, uint32_t *);
uint32_t *size = va_arg(args, uint32_t *);
+
+ if (!aligned_width || !aligned_height || !size) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
auto info = BufferInfo(width, height, format, producer_usage, consumer_usage);
GetBufferSizeAndDimensions(info, size, aligned_width, aligned_height);
// Align size
@@ -737,14 +791,18 @@
*size = ALIGN(*size, align);
} break;
- // TODO(user): Break out similar functionality, preferably moving to a common lib.
-
case GRALLOC1_MODULE_PERFORM_GET_INTERLACE_FLAG: {
private_handle_t *hnd = va_arg(args, private_handle_t *);
int *flag = va_arg(args, int *);
+
if (private_handle_t::validate(hnd) != 0) {
return GRALLOC1_ERROR_BAD_HANDLE;
}
+
+ if (!flag) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
if (getMetaData(hnd, GET_PP_PARAM_INTERLACED, flag) != 0) {
*flag = 0;
}
diff --git a/libgralloc1/gr_device_impl.cpp b/libgralloc1/gr_device_impl.cpp
index 03e42ab..d421ff1 100644
--- a/libgralloc1/gr_device_impl.cpp
+++ b/libgralloc1/gr_device_impl.cpp
@@ -347,6 +347,10 @@
gralloc1_error_t GrallocImpl::GetProducerUsage(gralloc1_device_t *device, buffer_handle_t buffer,
gralloc1_producer_usage_t *outUsage) {
+ if (!outUsage) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
gralloc1_error_t status = CheckDeviceAndHandle(device, buffer);
if (status == GRALLOC1_ERROR_NONE) {
const private_handle_t *hnd = PRIV_HANDLE_CONST(buffer);
@@ -358,6 +362,10 @@
gralloc1_error_t GrallocImpl::GetBufferStride(gralloc1_device_t *device, buffer_handle_t buffer,
uint32_t *outStride) {
+ if (!outStride) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
gralloc1_error_t status = CheckDeviceAndHandle(device, buffer);
if (status == GRALLOC1_ERROR_NONE) {
*outStride = UINT(PRIV_HANDLE_CONST(buffer)->GetStride());
@@ -373,6 +381,10 @@
return GRALLOC1_ERROR_BAD_DESCRIPTOR;
}
+ if (!device) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
GrallocImpl const *dev = GRALLOC_IMPL(device);
gralloc1_error_t status = dev->buf_mgr_->AllocateBuffers(num_descriptors, descriptors,
out_buffers);
@@ -403,6 +415,10 @@
gralloc1_error_t GrallocImpl::GetNumFlexPlanes(gralloc1_device_t *device, buffer_handle_t buffer,
uint32_t *out_num_planes) {
+ if (!out_num_planes) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
gralloc1_error_t status = CheckDeviceAndHandle(device, buffer);
if (status == GRALLOC1_ERROR_NONE) {
GrallocImpl const *dev = GRALLOC_IMPL(device);
@@ -425,7 +441,8 @@
int32_t acquire_fence) {
ATRACE_CALL();
gralloc1_error_t status = CheckDeviceAndHandle(device, buffer);
- if (status != GRALLOC1_ERROR_NONE) {
+ if (status != GRALLOC1_ERROR_NONE || !out_data ||
+ !region) { // currently we ignore the region/rect client wants to lock
CloseFdIfValid(acquire_fence);
return status;
}
@@ -452,13 +469,8 @@
// return GRALLOC1_ERROR_BAD_VALUE;
}
- // currently we ignore the region/rect client wants to lock
- if (region == NULL) {
- return GRALLOC1_ERROR_BAD_VALUE;
- }
// TODO(user): Need to check if buffer was allocated with the same flags
status = dev->buf_mgr_->LockBuffer(hnd, prod_usage, cons_usage);
-
*out_data = reinterpret_cast<void *>(hnd->base);
return status;
@@ -470,7 +482,12 @@
const gralloc1_rect_t *region,
struct android_flex_layout *out_flex_layout,
int32_t acquire_fence) {
- void *out_data;
+ if (!out_flex_layout) {
+ CloseFdIfValid(acquire_fence);
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
+ void *out_data {};
gralloc1_error_t status = GrallocImpl::LockBuffer(device, buffer, prod_usage, cons_usage, region,
&out_data, acquire_fence);
if (status != GRALLOC1_ERROR_NONE) {
@@ -486,11 +503,14 @@
gralloc1_error_t GrallocImpl::UnlockBuffer(gralloc1_device_t *device, buffer_handle_t buffer,
int32_t *release_fence) {
gralloc1_error_t status = CheckDeviceAndHandle(device, buffer);
-
if (status != GRALLOC1_ERROR_NONE) {
return status;
}
+ if (!release_fence) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
const private_handle_t *hnd = PRIV_HANDLE_CONST(buffer);
GrallocImpl const *dev = GRALLOC_IMPL(device);
@@ -500,6 +520,10 @@
}
gralloc1_error_t GrallocImpl::Gralloc1Perform(gralloc1_device_t *device, int operation, ...) {
+ if (!device) {
+ return GRALLOC1_ERROR_BAD_VALUE;
+ }
+
va_list args;
va_start(args, operation);
GrallocImpl const *dev = GRALLOC_IMPL(device);