diff options
author | Andy Hung <hunga@google.com> | 2014-07-29 12:14:00 -0700 |
---|---|---|
committer | Lajos Molnar <lajos@google.com> | 2014-07-30 00:57:50 +0000 |
commit | d00b7d1fb949e226b189e7d0047d78531b3264da (patch) | |
tree | 9f77f0443da0a19b855ac50f9fdc5e0eb58893bd /include/media | |
parent | 141670d465d7673dfa6ad712ad100f84882dfa95 (diff) | |
download | frameworks_av-d00b7d1fb949e226b189e7d0047d78531b3264da.zip frameworks_av-d00b7d1fb949e226b189e7d0047d78531b3264da.tar.gz frameworks_av-d00b7d1fb949e226b189e7d0047d78531b3264da.tar.bz2 |
Add isSafeArraySize for new array size checks
Bug: 15328708
Change-Id: I9dfca30745c3e4dda91c3894363462f8631c41a1
Diffstat (limited to 'include/media')
-rw-r--r-- | include/media/stagefright/foundation/ABase.h | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/include/media/stagefright/foundation/ABase.h b/include/media/stagefright/foundation/ABase.h index 9eceea3..949d49e 100644 --- a/include/media/stagefright/foundation/ABase.h +++ b/include/media/stagefright/foundation/ABase.h @@ -22,4 +22,31 @@ name(const name &); \ name &operator=(const name &) +/* Returns true if the size parameter is safe for new array allocation (32-bit) + * + * Example usage: + * + * if (!isSafeArraySize<uint32_t>(arraySize)) { + * return BAD_VALUE; + * } + * ... + * uint32_t *myArray = new uint32_t[arraySize]; + * + * There is a bug in gcc versions earlier than 4.8 where the new[] array allocation + * will overflow in the internal 32 bit heap allocation, resulting in an + * underallocated array. This is a security issue that allows potential overwriting + * of other heap data. + * + * An alternative to checking is to create a safe new array template function which + * either throws a std::bad_alloc exception or returns NULL/nullptr_t; NULL considered + * safe since normal access of NULL throws an exception. + * + * https://securityblog.redhat.com/2012/10/31/array-allocation-in-cxx/ + */ +template <typename T, typename S> +bool isSafeArraySize(S size) { + return size >= 0 // in case S is signed, ignored if not. + && size <= 0xffffffff / sizeof(T); // max-unsigned-32-bit-int / element-size. +} + #endif // A_BASE_H_ |