Fix OOB Read in setOperandValue Bug: 269456018 Test: Run the POC (cherry picked from https://android-review.googlesource.com/q/commit:c45bdb6ac47bf8cf2853144e82910f43f2f0b1e9) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:da885e104c92c440b697834926ac4a772758d5c3) Merged-In: I7325d56a380f05753356875623a2b5eaba3ca578 Change-Id: I7325d56a380f05753356875623a2b5eaba3ca578

commit: c24378a0b13fed9f3e23b923819bdff11aef08e6 [log] [tgz]
author: Przemysław Szczepaniak <[email protected]> Mon Mar 13 14:38:28 2023 +0000
committer: Android Build Coastguard Worker <[email protected]> Fri Jun 16 08:31:52 2023 +0000
tree: cf87fd0b216598078f9f25e649efb4508efb9acd
parent: 78998e05045ff3f7821ef7e972ebfcb3bf1d4422 [diff]
diff --git a/shim_and_sl/ShimConverter.cpp b/shim_and_sl/ShimConverter.cpp
index 2cbdc09..1ed0e31 100644
--- a/shim_and_sl/ShimConverter.cpp
+++ b/shim_and_sl/ShimConverter.cpp

@@ -128,6 +128,12 @@
 
         switch (operand.lifetime) {
             case OperandLifeTime::CONSTANT_COPY: {
+                if (operand.location.length + operand.location.offset >
+                    model.operandValues.size()) {
+                    *errorStatus = ErrorStatus::INVALID_ARGUMENT;
+                    return nullptr;
+                }
+
                 if (operand.location.length <=
                     ANEURALNETWORKS_MAX_SIZE_OF_IMMEDIATELY_COPIED_VALUES) {
                     resultModel.setOperandValue(
commit	c24378a0b13fed9f3e23b923819bdff11aef08e6	[log] [tgz]
author	Przemysław Szczepaniak <[email protected]>	Mon Mar 13 14:38:28 2023 +0000
committer	Android Build Coastguard Worker <[email protected]>	Fri Jun 16 08:31:52 2023 +0000
tree	cf87fd0b216598078f9f25e649efb4508efb9acd
parent	78998e05045ff3f7821ef7e972ebfcb3bf1d4422 [diff]