commit 6e4b37640aa17d00d7af9c274bdf07aeb894f233
author Saurabh Shah <saurshah@codeaurora.org> Thu Sep 21 15:30:15 2017 -0700
committer Saurabh Shah <saurshah@codeaurora.org> Tue Oct 03 14:33:09 2017 -0700
tree 9e1fe5a2ea44248f4b069b4e38538fc7b9f67071
parent ddb2218d710b68b6b78566a631ec200d94f80c0c

gralloc1: Check input addresses for null

Change-Id: Iddfcc07e50d3503a69b3604e5bd7f025f2b20534
CRs-Fixed: 2114346

libgralloc1/gr_buf_mgr.cpp

diff --git a/libgralloc1/gr_buf_mgr.cpp b/libgralloc1/gr_buf_mgr.cpp
index 59afe19..146d3a3 100644
--- a/libgralloc1/gr_buf_mgr.cpp
+++ b/libgralloc1/gr_buf_mgr.cpp
@@ -540,6 +540,10 @@
       int format = va_arg(args, int);
 
       native_handle_t **handle = va_arg(args, native_handle_t **);
+      if (!handle) {
+        return GRALLOC1_ERROR_BAD_HANDLE;
+      }
+
       private_handle_t *hnd = reinterpret_cast<private_handle_t *>(
           native_handle_create(private_handle_t::kNumFds, private_handle_t::NumInts()));
       if (hnd) {
@@ -549,7 +553,7 @@
         hnd->flags = private_handle_t::PRIV_FLAGS_USES_ION;
         hnd->size = size;
         hnd->offset = offset;
-        hnd->base = uint64_t(base) + offset;
+        hnd->base = uint64_t(base);
         hnd->gpuaddr = 0;
         BufferInfo info(width, height, format);
         GetAlignedWidthAndHeight(info, &alignedw, &alignedh);
@@ -567,6 +571,11 @@
       int format = va_arg(args, int);
       int *stride = va_arg(args, int *);
       unsigned int alignedw = 0, alignedh = 0;
+
+      if (!stride) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       BufferInfo info(width, width, format);
       GetAlignedWidthAndHeight(info, &alignedw, &alignedh);
       *stride = INT(alignedw);
@@ -579,6 +588,10 @@
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
 
+      if (!stride) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       BufferDim_t buffer_dim;
       if (getMetaData(hnd, GET_BUFFER_GEOMETRY, &buffer_dim) == 0) {
         *stride = buffer_dim.sliceWidth;
@@ -596,6 +609,10 @@
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
 
+      if (!stride || !height) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       BufferDim_t buffer_dim;
       int interlaced = 0;
 
@@ -631,6 +648,10 @@
       int *aligned_width = va_arg(args, int *);
       int *aligned_height = va_arg(args, int *);
       int *tile_enabled = va_arg(args, int *);
+      if (!aligned_width || !aligned_height || !tile_enabled) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       unsigned int alignedw, alignedh;
       BufferInfo info(width, height, format, prod_usage, cons_usage);
       *tile_enabled = IsUBwcEnabled(format, prod_usage, cons_usage);
@@ -642,9 +663,15 @@
     case GRALLOC_MODULE_PERFORM_GET_COLOR_SPACE_FROM_HANDLE: {
       private_handle_t *hnd = va_arg(args, private_handle_t *);
       int *color_space = va_arg(args, int *);
+
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
+
+      if (!color_space) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       *color_space = 0;
 #ifdef USE_COLOR_METADATA
       ColorMetaData color_metadata;
@@ -676,6 +703,11 @@
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
+
+      if (!ycbcr) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       if (GetYUVPlaneInfo(hnd, ycbcr)) {
         return GRALLOC1_ERROR_UNDEFINED;
       }
@@ -684,10 +716,15 @@
     case GRALLOC_MODULE_PERFORM_GET_MAP_SECURE_BUFFER_INFO: {
       private_handle_t *hnd = va_arg(args, private_handle_t *);
       int *map_secure_buffer = va_arg(args, int *);
+
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
 
+      if (!map_secure_buffer) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       if (getMetaData(hnd, GET_MAP_SECURE_BUFFER, map_secure_buffer) == 0) {
         *map_secure_buffer = 0;
       }
@@ -696,9 +733,15 @@
     case GRALLOC_MODULE_PERFORM_GET_UBWC_FLAG: {
       private_handle_t *hnd = va_arg(args, private_handle_t *);
       int *flag = va_arg(args, int *);
+
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
+
+      if (!flag) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       *flag = hnd->flags &private_handle_t::PRIV_FLAGS_UBWC_ALIGNED;
       int linear_format = 0;
       if (getMetaData(hnd, GET_LINEAR_FORMAT, &linear_format) == 0) {
@@ -711,9 +754,15 @@
     case GRALLOC_MODULE_PERFORM_GET_RGB_DATA_ADDRESS: {
       private_handle_t *hnd = va_arg(args, private_handle_t *);
       void **rgb_data = va_arg(args, void **);
+
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
+
+      if (!rgb_data) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       if (GetRgbDataAddress(hnd, rgb_data)) {
         return GRALLOC1_ERROR_UNDEFINED;
       }
@@ -730,6 +779,11 @@
       uint32_t *aligned_width = va_arg(args, uint32_t *);
       uint32_t *aligned_height = va_arg(args, uint32_t *);
       uint32_t *size = va_arg(args, uint32_t *);
+
+      if (!aligned_width || !aligned_height || !size) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       auto info = BufferInfo(width, height, format, producer_usage, consumer_usage);
       GetBufferSizeAndDimensions(info, size, aligned_width, aligned_height);
       // Align size
@@ -737,14 +791,18 @@
       *size = ALIGN(*size, align);
     } break;
 
-      // TODO(user): Break out similar functionality, preferably moving to a common lib.
-
     case GRALLOC1_MODULE_PERFORM_GET_INTERLACE_FLAG: {
       private_handle_t *hnd = va_arg(args, private_handle_t *);
       int *flag = va_arg(args, int *);
+
       if (private_handle_t::validate(hnd) != 0) {
         return GRALLOC1_ERROR_BAD_HANDLE;
       }
+
+      if (!flag) {
+        return GRALLOC1_ERROR_BAD_VALUE;
+      }
+
       if (getMetaData(hnd, GET_PP_PARAM_INTERLACED, flag) != 0) {
         *flag = 0;
       }