diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-12-04 13:47:35 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-12-04 13:47:35 +0000 |
commit | 3fde648e5c44b661f79c37cc65c1cbf8d7bd8e97 (patch) | |
tree | f6562d3f98820be09bc2775e154bcc0b16a6e022 | |
parent | 6964b4ad588aa6ce75dd0712d00151ca883e72f2 (diff) | |
parent | e7af15d9f9cd481bb67148164ecda711383ecd98 (diff) | |
download | v33-android14-mainline-sdkext-release.tar.gz |
Snap for 11173240 from e7af15d9f9cd481bb67148164ecda711383ecd98 to mainline-sdkext-releaseaml_sdk_341510000aml_sdk_341410000android14-mainline-sdkext-release
Change-Id: Idcf49cda011a7fea9cdf85101fa329af12cf45a8
-rwxr-xr-x | arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 134856 -> 136744 bytes | |||
-rw-r--r-- | arm/include/system/libfmq/include/fmq/MessageQueueBase.h | 56 | ||||
-rwxr-xr-x | arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 134156 -> 135828 bytes | |||
-rwxr-xr-x | arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 182632 -> 186840 bytes | |||
-rw-r--r-- | arm64/include/system/libfmq/include/fmq/MessageQueueBase.h | 56 | ||||
-rwxr-xr-x | x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 177092 -> 180868 bytes | |||
-rw-r--r-- | x86/include/system/libfmq/include/fmq/MessageQueueBase.h | 56 | ||||
-rwxr-xr-x | x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 175956 -> 179860 bytes | |||
-rwxr-xr-x | x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so | bin | 187192 -> 190344 bytes | |||
-rw-r--r-- | x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h | 56 |
10 files changed, 180 insertions, 44 deletions
diff --git a/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex 84ed419..9d38134 100755 --- a/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/arm/arch-arm-armv7-a-neon/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/arm/include/system/libfmq/include/fmq/MessageQueueBase.h b/arm/include/system/libfmq/include/fmq/MessageQueueBase.h index c34a4ff..f4bf7e2 100644 --- a/arm/include/system/libfmq/include/fmq/MessageQueueBase.h +++ b/arm/include/system/libfmq/include/fmq/MessageQueueBase.h @@ -586,12 +586,6 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer return; } - const auto& grantors = mDesc->grantors(); - for (const auto& grantor : grantors) { - hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true, - "Grantor offsets need to be aligned"); - } - if (flavor == kSynchronizedReadWrite) { mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::READPTRPOS)); @@ -602,11 +596,11 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer */ mReadPtr = new (std::nothrow) std::atomic<uint64_t>; } - hardware::details::check(mReadPtr != nullptr, "mReadPtr is null"); + if (mReadPtr == nullptr) goto error; mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::WRITEPTRPOS)); - hardware::details::check(mWritePtr != nullptr, "mWritePtr is null"); + if (mWritePtr == nullptr) goto error; if (resetPointers) { mReadPtr->store(0, std::memory_order_release); @@ -617,14 +611,32 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer } mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS)); - hardware::details::check(mRing != nullptr, "mRing is null"); + if (mRing == nullptr) goto error; if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) { mEvFlagWord = static_cast<std::atomic<uint32_t>*>( mapGrantorDescr(hardware::details::EVFLAGWORDPOS)); - hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null"); + if (mEvFlagWord == nullptr) goto error; android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag); } + return; +error: + if (mReadPtr) { + if (flavor == kSynchronizedReadWrite) { + unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS); + } else { + delete mReadPtr; + } + mReadPtr = nullptr; + } + if (mWritePtr) { + unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS); + mWritePtr = nullptr; + } + if (mRing) { + unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS); + mRing = nullptr; + } } template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> @@ -1234,7 +1246,7 @@ bool MessageQueueBase<MQDescriptorType, T, flavor>::isValid() const { template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) { const native_handle_t* handle = mDesc->handle(); - auto grantors = mDesc->grantors(); + const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors(); if (handle == nullptr) { hardware::details::logError("mDesc->handle is null"); return nullptr; @@ -1247,10 +1259,32 @@ void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t gr } int fdIndex = grantors[grantorIdx].fdIndex; + if (fdIndex < 0 || fdIndex >= handle->numFds) { + hardware::details::logError( + std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " + + std::to_string(grantorIdx) + + ") must be smaller than the number of fds in the handle: " + + std::to_string(handle->numFds))); + return nullptr; + } + /* * Offset for mmap must be a multiple of PAGE_SIZE. */ + if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) { + hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) + + ") offset needs to be aligned to word boundary but is: " + + std::to_string(grantors[grantorIdx].offset)); + return nullptr; + } + int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE; + if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) { + hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) + + ") extent value is too large or negative: " + + std::to_string(grantors[grantorIdx].extent))); + return nullptr; + } int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent; void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex], diff --git a/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex a196564..b06d110 100755 --- a/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/arm64/arch-arm-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so b/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex 5d57092..3e06ff5 100755 --- a/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/arm64/arch-arm64-armv8-a/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h b/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h index c34a4ff..f4bf7e2 100644 --- a/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h +++ b/arm64/include/system/libfmq/include/fmq/MessageQueueBase.h @@ -586,12 +586,6 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer return; } - const auto& grantors = mDesc->grantors(); - for (const auto& grantor : grantors) { - hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true, - "Grantor offsets need to be aligned"); - } - if (flavor == kSynchronizedReadWrite) { mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::READPTRPOS)); @@ -602,11 +596,11 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer */ mReadPtr = new (std::nothrow) std::atomic<uint64_t>; } - hardware::details::check(mReadPtr != nullptr, "mReadPtr is null"); + if (mReadPtr == nullptr) goto error; mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::WRITEPTRPOS)); - hardware::details::check(mWritePtr != nullptr, "mWritePtr is null"); + if (mWritePtr == nullptr) goto error; if (resetPointers) { mReadPtr->store(0, std::memory_order_release); @@ -617,14 +611,32 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer } mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS)); - hardware::details::check(mRing != nullptr, "mRing is null"); + if (mRing == nullptr) goto error; if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) { mEvFlagWord = static_cast<std::atomic<uint32_t>*>( mapGrantorDescr(hardware::details::EVFLAGWORDPOS)); - hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null"); + if (mEvFlagWord == nullptr) goto error; android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag); } + return; +error: + if (mReadPtr) { + if (flavor == kSynchronizedReadWrite) { + unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS); + } else { + delete mReadPtr; + } + mReadPtr = nullptr; + } + if (mWritePtr) { + unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS); + mWritePtr = nullptr; + } + if (mRing) { + unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS); + mRing = nullptr; + } } template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> @@ -1234,7 +1246,7 @@ bool MessageQueueBase<MQDescriptorType, T, flavor>::isValid() const { template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) { const native_handle_t* handle = mDesc->handle(); - auto grantors = mDesc->grantors(); + const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors(); if (handle == nullptr) { hardware::details::logError("mDesc->handle is null"); return nullptr; @@ -1247,10 +1259,32 @@ void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t gr } int fdIndex = grantors[grantorIdx].fdIndex; + if (fdIndex < 0 || fdIndex >= handle->numFds) { + hardware::details::logError( + std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " + + std::to_string(grantorIdx) + + ") must be smaller than the number of fds in the handle: " + + std::to_string(handle->numFds))); + return nullptr; + } + /* * Offset for mmap must be a multiple of PAGE_SIZE. */ + if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) { + hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) + + ") offset needs to be aligned to word boundary but is: " + + std::to_string(grantors[grantorIdx].offset)); + return nullptr; + } + int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE; + if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) { + hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) + + ") extent value is too large or negative: " + + std::to_string(grantors[grantorIdx].extent))); + return nullptr; + } int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent; void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex], diff --git a/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex 019422c..01900f1 100755 --- a/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/x86/arch-x86/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/x86/include/system/libfmq/include/fmq/MessageQueueBase.h b/x86/include/system/libfmq/include/fmq/MessageQueueBase.h index c34a4ff..f4bf7e2 100644 --- a/x86/include/system/libfmq/include/fmq/MessageQueueBase.h +++ b/x86/include/system/libfmq/include/fmq/MessageQueueBase.h @@ -586,12 +586,6 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer return; } - const auto& grantors = mDesc->grantors(); - for (const auto& grantor : grantors) { - hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true, - "Grantor offsets need to be aligned"); - } - if (flavor == kSynchronizedReadWrite) { mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::READPTRPOS)); @@ -602,11 +596,11 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer */ mReadPtr = new (std::nothrow) std::atomic<uint64_t>; } - hardware::details::check(mReadPtr != nullptr, "mReadPtr is null"); + if (mReadPtr == nullptr) goto error; mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::WRITEPTRPOS)); - hardware::details::check(mWritePtr != nullptr, "mWritePtr is null"); + if (mWritePtr == nullptr) goto error; if (resetPointers) { mReadPtr->store(0, std::memory_order_release); @@ -617,14 +611,32 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer } mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS)); - hardware::details::check(mRing != nullptr, "mRing is null"); + if (mRing == nullptr) goto error; if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) { mEvFlagWord = static_cast<std::atomic<uint32_t>*>( mapGrantorDescr(hardware::details::EVFLAGWORDPOS)); - hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null"); + if (mEvFlagWord == nullptr) goto error; android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag); } + return; +error: + if (mReadPtr) { + if (flavor == kSynchronizedReadWrite) { + unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS); + } else { + delete mReadPtr; + } + mReadPtr = nullptr; + } + if (mWritePtr) { + unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS); + mWritePtr = nullptr; + } + if (mRing) { + unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS); + mRing = nullptr; + } } template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> @@ -1234,7 +1246,7 @@ bool MessageQueueBase<MQDescriptorType, T, flavor>::isValid() const { template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) { const native_handle_t* handle = mDesc->handle(); - auto grantors = mDesc->grantors(); + const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors(); if (handle == nullptr) { hardware::details::logError("mDesc->handle is null"); return nullptr; @@ -1247,10 +1259,32 @@ void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t gr } int fdIndex = grantors[grantorIdx].fdIndex; + if (fdIndex < 0 || fdIndex >= handle->numFds) { + hardware::details::logError( + std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " + + std::to_string(grantorIdx) + + ") must be smaller than the number of fds in the handle: " + + std::to_string(handle->numFds))); + return nullptr; + } + /* * Offset for mmap must be a multiple of PAGE_SIZE. */ + if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) { + hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) + + ") offset needs to be aligned to word boundary but is: " + + std::to_string(grantors[grantorIdx].offset)); + return nullptr; + } + int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE; + if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) { + hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) + + ") extent value is too large or negative: " + + std::to_string(grantors[grantorIdx].extent))); + return nullptr; + } int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent; void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex], diff --git a/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex 07c1213..63cba44 100755 --- a/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/x86_64/arch-x86-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so b/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so Binary files differindex 4ab9665..960ec0a 100755 --- a/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so +++ b/x86_64/arch-x86_64/shared/vndk-core/libstagefright_bufferpool@2.0.so diff --git a/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h b/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h index c34a4ff..f4bf7e2 100644 --- a/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h +++ b/x86_64/include/system/libfmq/include/fmq/MessageQueueBase.h @@ -586,12 +586,6 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer return; } - const auto& grantors = mDesc->grantors(); - for (const auto& grantor : grantors) { - hardware::details::check(hardware::details::isAlignedToWordBoundary(grantor.offset) == true, - "Grantor offsets need to be aligned"); - } - if (flavor == kSynchronizedReadWrite) { mReadPtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::READPTRPOS)); @@ -602,11 +596,11 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer */ mReadPtr = new (std::nothrow) std::atomic<uint64_t>; } - hardware::details::check(mReadPtr != nullptr, "mReadPtr is null"); + if (mReadPtr == nullptr) goto error; mWritePtr = reinterpret_cast<std::atomic<uint64_t>*>( mapGrantorDescr(hardware::details::WRITEPTRPOS)); - hardware::details::check(mWritePtr != nullptr, "mWritePtr is null"); + if (mWritePtr == nullptr) goto error; if (resetPointers) { mReadPtr->store(0, std::memory_order_release); @@ -617,14 +611,32 @@ void MessageQueueBase<MQDescriptorType, T, flavor>::initMemory(bool resetPointer } mRing = reinterpret_cast<uint8_t*>(mapGrantorDescr(hardware::details::DATAPTRPOS)); - hardware::details::check(mRing != nullptr, "mRing is null"); + if (mRing == nullptr) goto error; if (mDesc->countGrantors() > hardware::details::EVFLAGWORDPOS) { mEvFlagWord = static_cast<std::atomic<uint32_t>*>( mapGrantorDescr(hardware::details::EVFLAGWORDPOS)); - hardware::details::check(mEvFlagWord != nullptr, "mEvFlagWord is null"); + if (mEvFlagWord == nullptr) goto error; android::hardware::EventFlag::createEventFlag(mEvFlagWord, &mEventFlag); } + return; +error: + if (mReadPtr) { + if (flavor == kSynchronizedReadWrite) { + unmapGrantorDescr(mReadPtr, hardware::details::READPTRPOS); + } else { + delete mReadPtr; + } + mReadPtr = nullptr; + } + if (mWritePtr) { + unmapGrantorDescr(mWritePtr, hardware::details::WRITEPTRPOS); + mWritePtr = nullptr; + } + if (mRing) { + unmapGrantorDescr(mRing, hardware::details::EVFLAGWORDPOS); + mRing = nullptr; + } } template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> @@ -1234,7 +1246,7 @@ bool MessageQueueBase<MQDescriptorType, T, flavor>::isValid() const { template <template <typename, MQFlavor> typename MQDescriptorType, typename T, MQFlavor flavor> void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t grantorIdx) { const native_handle_t* handle = mDesc->handle(); - auto grantors = mDesc->grantors(); + const std::vector<android::hardware::GrantorDescriptor> grantors = mDesc->grantors(); if (handle == nullptr) { hardware::details::logError("mDesc->handle is null"); return nullptr; @@ -1247,10 +1259,32 @@ void* MessageQueueBase<MQDescriptorType, T, flavor>::mapGrantorDescr(uint32_t gr } int fdIndex = grantors[grantorIdx].fdIndex; + if (fdIndex < 0 || fdIndex >= handle->numFds) { + hardware::details::logError( + std::string("fdIndex (" + std::to_string(fdIndex) + ") from grantor (index " + + std::to_string(grantorIdx) + + ") must be smaller than the number of fds in the handle: " + + std::to_string(handle->numFds))); + return nullptr; + } + /* * Offset for mmap must be a multiple of PAGE_SIZE. */ + if (!hardware::details::isAlignedToWordBoundary(grantors[grantorIdx].offset)) { + hardware::details::logError("Grantor (index " + std::to_string(grantorIdx) + + ") offset needs to be aligned to word boundary but is: " + + std::to_string(grantors[grantorIdx].offset)); + return nullptr; + } + int mapOffset = (grantors[grantorIdx].offset / PAGE_SIZE) * PAGE_SIZE; + if (grantors[grantorIdx].extent < 0 || grantors[grantorIdx].extent > INT_MAX - PAGE_SIZE) { + hardware::details::logError(std::string("Grantor (index " + std::to_string(grantorIdx) + + ") extent value is too large or negative: " + + std::to_string(grantors[grantorIdx].extent))); + return nullptr; + } int mapLength = grantors[grantorIdx].offset - mapOffset + grantors[grantorIdx].extent; void* address = mmap(0, mapLength, PROT_READ | PROT_WRITE, MAP_SHARED, handle->data[fdIndex], |