diff options
| author | Derek Sollenberger <djsollen@google.com> | 2015-05-13 15:45:04 -0400 |
|---|---|---|
| committer | Derek Sollenberger <djsollen@google.com> | 2015-05-13 15:45:04 -0400 |
| commit | 3082fe440f90b7a3e6e031b6641f4a71b907dd4f (patch) | |
| tree | 61fd3a3666c30d50c7c621a40450a7c21429fbe4 /core/jni | |
| parent | 90c66e3ded4a91613b0c1760ab2ef15e0d118a36 (diff) | |
| download | frameworks_base-3082fe440f90b7a3e6e031b6641f4a71b907dd4f.zip frameworks_base-3082fe440f90b7a3e6e031b6641f4a71b907dd4f.tar.gz frameworks_base-3082fe440f90b7a3e6e031b6641f4a71b907dd4f.tar.bz2 | |
Ensure that unparcelling Region only reads the expected number of bytes
bug: 20883006
Change-Id: I4f109667fb210a80fbddddf5f1bfb7ef3a02b6ce
Diffstat (limited to 'core/jni')
| -rw-r--r-- | core/jni/android/graphics/Region.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/core/jni/android/graphics/Region.cpp b/core/jni/android/graphics/Region.cpp index 90a020e..cf02e39 100644 --- a/core/jni/android/graphics/Region.cpp +++ b/core/jni/android/graphics/Region.cpp @@ -206,15 +206,20 @@ static jstring Region_toString(JNIEnv* env, jobject clazz, jlong regionHandle) { static jlong Region_createFromParcel(JNIEnv* env, jobject clazz, jobject parcel) { - if (parcel == NULL) { - return NULL; + if (parcel == nullptr) { + return 0; } android::Parcel* p = android::parcelForJavaObject(env, parcel); SkRegion* region = new SkRegion; size_t size = p->readInt32(); - region->readFromMemory(p->readInplace(size), size); + size_t actualSize = region->readFromMemory(p->readInplace(size), size); + + if (size != actualSize) { + delete region; + return 0; + } return reinterpret_cast<jlong>(region); } |