diff options
| author | Leon Scroggins III <scroggo@google.com> | 2015-05-29 16:13:11 -0400 |
|---|---|---|
| committer | Leon Scroggins <scroggo@google.com> | 2015-05-29 20:14:58 +0000 |
| commit | 6549eed89e50ceafdb88646339288f820711d840 (patch) | |
| tree | cd9d76dacf14a153dd1794870c5ba751a9dc2a1f | |
| parent | c7a558fe73631e438061c31a54861594f0eb024f (diff) | |
| download | frameworks_base-6549eed89e50ceafdb88646339288f820711d840.zip frameworks_base-6549eed89e50ceafdb88646339288f820711d840.tar.gz frameworks_base-6549eed89e50ceafdb88646339288f820711d840.tar.bz2 | |
DO NOT MERGE: Ensure that unparcelling Region only reads the expected number of bytes
bug: 20883006
Change-Id: I4f109667fb210a80fbddddf5f1bfb7ef3a02b6ce
| -rw-r--r-- | core/jni/android/graphics/Region.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/core/jni/android/graphics/Region.cpp b/core/jni/android/graphics/Region.cpp index 6b99de8..ec4d8bf 100644 --- a/core/jni/android/graphics/Region.cpp +++ b/core/jni/android/graphics/Region.cpp @@ -218,7 +218,12 @@ static jlong Region_createFromParcel(JNIEnv* env, jobject clazz, jobject parcel) return NULL; } SkRegion* region = new SkRegion; - region->readFromMemory(regionData, size); + size_t actualSize = region->readFromMemory(regionData, size); + + if (size != actualSize) { + delete region; + return NULL; + } return reinterpret_cast<jlong>(region); } |