From d0efcbbbb5145da42beafd36f86a6d90047ce9af Mon Sep 17 00:00:00 2001
From: Jae Seo <jaeseo@google.com>
Date: Fri, 12 Feb 2016 00:12:36 -0800
Subject: [PATCH] TIF: Check the CEC message length before copying the data

Bug: 25768736
Change-Id: Ife46891e785fe816c0ee6ba65bd57512366ce84d
---
 services/core/jni/com_android_server_hdmi_HdmiCecController.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/core/jni/com_android_server_hdmi_HdmiCecController.cpp b/services/core/jni/com_android_server_hdmi_HdmiCecController.cpp
index b72cf4dc94d0f..656c2141ff2ee 100644
--- a/services/core/jni/com_android_server_hdmi_HdmiCecController.cpp
+++ b/services/core/jni/com_android_server_hdmi_HdmiCecController.cpp
@@ -330,7 +330,7 @@ static jint nativeSendCecCommand(JNIEnv* env, jclass clazz, jlong controllerPtr,
     jsize len = env->GetArrayLength(body);
     message.length = MIN(len, CEC_MESSAGE_BODY_MAX_LENGTH);
     ScopedByteArrayRO bodyPtr(env, body);
-    std::memcpy(message.body, bodyPtr.get(), len);
+    std::memcpy(message.body, bodyPtr.get(), message.length);
 
     HdmiCecController* controller =
             reinterpret_cast<HdmiCecController*>(controllerPtr);