Gralloc: Use handle reserved size while importing buffer Instead of metadata reserved_size, use handle reserved size while import as metadata reserved size can be modified by client which can cause memory corruption. Bug: 253297595 Change-Id: Iedbb9eea589b56e81e044603c958f0b2c4cb3720 Signed-off-by: Guus Sliepen <[email protected]>

commit: af82c80bdaf4da86832d31a9c1ca76fe3c123b12 [log] [tgz]
author: Baldev Sahu <[email protected]> Fri Nov 11 15:03:25 2022 +0530
committer: Guus Sliepen <[email protected]> Tue Apr 04 12:55:00 2023 +0000
tree: 64dc049b9f04a72347965f3a2285299d6d9169e9
parent: 58137990bb14cdac7b0e368bc8e3b92081dc2d2a [diff]
diff --git a/gralloc/gr_buf_mgr.cpp b/gralloc/gr_buf_mgr.cpp
index 72b72fb..61249a9 100644
--- a/gralloc/gr_buf_mgr.cpp
+++ b/gralloc/gr_buf_mgr.cpp

@@ -806,9 +806,8 @@
   auto buffer = std::make_shared<Buffer>(hnd, ion_handle, ion_handle_meta);
 
   if (hnd->base_metadata) {
-    auto metadata = reinterpret_cast<MetaData_t *>(hnd->base_metadata);
 #ifdef METADATA_V2
-    buffer->reserved_size = metadata->reservedSize;
+    buffer->reserved_size = hnd->reserved_size;
     if (buffer->reserved_size > 0) {
       buffer->reserved_region_ptr =
           reinterpret_cast<void *>(hnd->base_metadata + sizeof(MetaData_t));
commit	af82c80bdaf4da86832d31a9c1ca76fe3c123b12	[log] [tgz]
author	Baldev Sahu <[email protected]>	Fri Nov 11 15:03:25 2022 +0530
committer	Guus Sliepen <[email protected]>	Tue Apr 04 12:55:00 2023 +0000
tree	64dc049b9f04a72347965f3a2285299d6d9169e9
parent	58137990bb14cdac7b0e368bc8e3b92081dc2d2a [diff]