cec: Calculate buffer length to protect from overflow
Change-Id: I38b1e98ea5e1231a9cb3480b2f99a61dae957a25
CRs-Fixed: 2037019
diff --git a/hdmi_cec/qhdmi_cec.cpp b/hdmi_cec/qhdmi_cec.cpp
index f84cf80..0923d92 100644
--- a/hdmi_cec/qhdmi_cec.cpp
+++ b/hdmi_cec/qhdmi_cec.cpp
@@ -1,5 +1,5 @@
/*
-* Copyright (c) 2014, 2016, The Linux Foundation. All rights reserved.
+* Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -296,8 +296,10 @@
event.cec.initiator = (cec_logical_address_t) msg[CEC_OFFSET_SENDER_ID];
event.cec.destination = (cec_logical_address_t) msg[CEC_OFFSET_RECEIVER_ID];
//Copy opcode and operand
- memcpy(event.cec.body, &msg[CEC_OFFSET_OPCODE], event.cec.length);
- hex_to_string((char *) event.cec.body, event.cec.length, dump);
+ size_t copy_size = event.cec.length > sizeof(event.cec.body) ?
+ sizeof(event.cec.body) : event.cec.length;
+ memcpy(event.cec.body, &msg[CEC_OFFSET_OPCODE],copy_size);
+ hex_to_string((char *) event.cec.body, copy_size, dump);
ALOGD_IF(DEBUG, "%s: Message to framework: %s", __FUNCTION__, dump);
ctx->callback.callback_func(&event, ctx->callback.callback_arg);
}