diff options
author | Michael Lentine <mlentine@google.com> | 2014-12-02 17:52:00 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-12-02 17:52:00 +0000 |
commit | 76ebd319d96494049a2a598f4449c0ec417220f6 (patch) | |
tree | 409071823687cbcc251ebe00331dc167fd20860e /libs/ui | |
parent | 9c7db08049e1d36c2f60dd703f27c432bc8cfbc5 (diff) | |
parent | 3d89edca65e07319c9ac3b9bb9889e80e8c40578 (diff) | |
download | frameworks_native-76ebd319d96494049a2a598f4449c0ec417220f6.zip frameworks_native-76ebd319d96494049a2a598f4449c0ec417220f6.tar.gz frameworks_native-76ebd319d96494049a2a598f4449c0ec417220f6.tar.bz2 |
am 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts is too large.
* commit '3d89edca65e07319c9ac3b9bb9889e80e8c40578':
Fix for corruption when numFds or numInts is too large.
Diffstat (limited to 'libs/ui')
-rw-r--r-- | libs/ui/GraphicBuffer.cpp | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp index 0ecd3d9..dde724d 100644 --- a/libs/ui/GraphicBuffer.cpp +++ b/libs/ui/GraphicBuffer.cpp @@ -251,10 +251,19 @@ status_t GraphicBuffer::unflatten( const size_t numFds = buf[6]; const size_t numInts = buf[7]; + const size_t maxNumber = UINT_MAX / sizeof(int); + if (numFds >= maxNumber || numInts >= (maxNumber - 10)) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: numFds or numInts is too large: %d, %d", + numFds, numInts); + return BAD_VALUE; + } + const size_t sizeNeeded = (8 + numInts) * sizeof(int); if (size < sizeNeeded) return NO_MEMORY; - size_t fdCountNeeded = 0; + size_t fdCountNeeded = numFds; if (count < fdCountNeeded) return NO_MEMORY; if (handle) { @@ -269,6 +278,12 @@ status_t GraphicBuffer::unflatten( format = buf[4]; usage = buf[5]; native_handle* h = native_handle_create(numFds, numInts); + if (!h) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: native_handle_create failed"); + return NO_MEMORY; + } memcpy(h->data, fds, numFds*sizeof(int)); memcpy(h->data + numFds, &buf[8], numInts*sizeof(int)); handle = h; |