From 8fd03f4ea423103cde805a70280494c454748dc8 Mon Sep 17 00:00:00 2001 From: Mathias Agopian Date: Tue, 29 May 2012 19:46:14 -0700 Subject: [PATCH] Fix a stack corruption in sensorservice Bug: 6576732 Change-Id: If0f2fb0d0c35b932fb77cd262e676042145b28f9 --- services/sensorservice/SensorService.cpp | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp index d3b667f13d04a..04ec82046e299 100644 --- a/services/sensorservice/SensorService.cpp +++ b/services/sensorservice/SensorService.cpp @@ -225,9 +225,10 @@ bool SensorService::threadLoop() { ALOGD("nuSensorService thread starting..."); - const size_t numEventMax = 16 * (1 + mVirtualSensorList.size()); - sensors_event_t buffer[numEventMax]; - sensors_event_t scratch[numEventMax]; + const size_t numEventMax = 16; + const size_t minBufferSize = numEventMax * mVirtualSensorList.size(); + sensors_event_t buffer[minBufferSize]; + sensors_event_t scratch[minBufferSize]; SensorDevice& device(SensorDevice::getInstance()); const size_t vcount = mVirtualSensorList.size(); @@ -255,10 +256,17 @@ bool SensorService::threadLoop() fusion.process(event[i]); } } - for (size_t i=0 ; i= minBufferSize) { + ALOGE("buffer too small to hold all events: " + "count=%u, k=%u, size=%u", + count, k, minBufferSize); + break; + } sensors_event_t out; - if (virtualSensors.valueAt(j)->process(&out, event[i])) { + SensorInterface* si = virtualSensors.valueAt(j); + if (si->process(&out, event[i])) { buffer[count + k] = out; k++; }