summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Lentine <mlentine@google.com>2015-05-28 17:43:06 -0700
committerDan Stoza <stoza@google.com>2015-06-01 11:12:28 -0700
commit9530388b260ddd47c4e013b10f7f56b987d4f79f (patch)
treecbcb61c937ef8f1b241a26e6ebc1350c39dd9999
parenta8702c4765993f31a70243e4f89c251fe9911cde (diff)
downloadframeworks_native-9530388b260ddd47c4e013b10f7f56b987d4f79f.zip
frameworks_native-9530388b260ddd47c4e013b10f7f56b987d4f79f.tar.gz
frameworks_native-9530388b260ddd47c4e013b10f7f56b987d4f79f.tar.bz2
Check that width and height parameters are small.
The product of width and height should be less than UINT32_MAX (in practice smaller). Adding the checks prevents overflows when allocating buffers. Bug: 20726612 Change-Id: I9769edf0688a9bfe69906d49fa0540cadf4c49b0 (cherry picked from commit 1c4537e2e80aa776a61517be8b1605e36432287a)
-rw-r--r--opengl/libagl/egl.cpp35
1 files changed, 31 insertions, 4 deletions
diff --git a/opengl/libagl/egl.cpp b/opengl/libagl/egl.cpp
index 1feac8b..593d0c2 100644
--- a/opengl/libagl/egl.cpp
+++ b/opengl/libagl/egl.cpp
@@ -394,7 +394,13 @@ EGLBoolean egl_window_surface_v2_t::connect()
depth.width = width;
depth.height = height;
depth.stride = depth.width; // use the width here
- depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
+ uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
+ static_cast<uint64_t>(depth.height) * 2;
+ if (depth.stride < 0 || depth.height > INT_MAX ||
+ allocSize > UINT32_MAX) {
+ return setError(EGL_BAD_ALLOC, EGL_FALSE);
+ }
+ depth.data = (GGLubyte*)malloc(allocSize);
if (depth.data == 0) {
return setError(EGL_BAD_ALLOC, EGL_FALSE);
}
@@ -548,7 +554,14 @@ EGLBoolean egl_window_surface_v2_t::swapBuffers()
depth.width = width;
depth.height = height;
depth.stride = buffer->stride;
- depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
+ uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
+ static_cast<uint64_t>(depth.height) * 2;
+ if (depth.stride < 0 || depth.height > INT_MAX ||
+ allocSize > UINT32_MAX) {
+ setError(EGL_BAD_ALLOC, EGL_FALSE);
+ return EGL_FALSE;
+ }
+ depth.data = (GGLubyte*)malloc(allocSize);
if (depth.data == 0) {
setError(EGL_BAD_ALLOC, EGL_FALSE);
return EGL_FALSE;
@@ -666,7 +679,14 @@ egl_pixmap_surface_t::egl_pixmap_surface_t(EGLDisplay dpy,
depth.width = pixmap->width;
depth.height = pixmap->height;
depth.stride = depth.width; // use the width here
- depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
+ uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
+ static_cast<uint64_t>(depth.height) * 2;
+ if (depth.stride < 0 || depth.height > INT_MAX ||
+ allocSize > UINT32_MAX) {
+ setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
+ return;
+ }
+ depth.data = (GGLubyte*)malloc(allocSize);
if (depth.data == 0) {
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
}
@@ -746,7 +766,14 @@ egl_pbuffer_surface_t::egl_pbuffer_surface_t(EGLDisplay dpy,
depth.width = pbuffer.width;
depth.height = pbuffer.height;
depth.stride = depth.width; // use the width here
- depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
+ uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
+ static_cast<uint64_t>(depth.height) * 2;
+ if (depth.stride < 0 || depth.height > INT_MAX ||
+ allocSize > UINT32_MAX) {
+ setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
+ return;
+ }
+ depth.data = (GGLubyte*)malloc(allocSize);
if (depth.data == 0) {
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
return;