diff options
| author | Adam Lesinski <adamlesinski@google.com> | 2015-04-27 12:13:33 -0700 |
|---|---|---|
| committer | Adam Lesinski <adamlesinski@google.com> | 2015-05-15 13:09:39 -0700 |
| commit | 07edc3b3b3caef7829850633f928ae05f6d49f3a (patch) | |
| tree | cc2b7395e3824caac5c9527882c7875b9de56d90 /libcutils | |
| parent | eb19e766322fb57ccde989e0e35b0ac3e28a4ac2 (diff) | |
| download | system_core-07edc3b3b3caef7829850633f928ae05f6d49f3a.zip system_core-07edc3b3b3caef7829850633f928ae05f6d49f3a.tar.gz system_core-07edc3b3b3caef7829850633f928ae05f6d49f3a.tar.bz2 | |
Prevent integer overflow when allocating native_handle_t
User specified values of numInts and numFds can overflow
and cause malloc to allocate less than we expect, causing
heap corruption in subsequent operations on the allocation.
Bug: 19334482
Change-Id: I43c75f536ea4c08f14ca12ca6288660fd2d1ec55
Diffstat (limited to 'libcutils')
| -rw-r--r-- | libcutils/native_handle.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libcutils/native_handle.c b/libcutils/native_handle.c index 9a4a5bb..61fa38e 100644 --- a/libcutils/native_handle.c +++ b/libcutils/native_handle.c @@ -25,11 +25,17 @@ #include <cutils/log.h> #include <cutils/native_handle.h> +static const int kMaxNativeFds = 1024; +static const int kMaxNativeInts = 1024; + native_handle_t* native_handle_create(int numFds, int numInts) { - native_handle_t* h = malloc( - sizeof(native_handle_t) + sizeof(int)*(numFds+numInts)); + if (numFds < 0 || numInts < 0 || numFds > kMaxNativeFds || numInts > kMaxNativeInts) { + return NULL; + } + size_t mallocSize = sizeof(native_handle_t) + (sizeof(int) * (numFds + numInts)); + native_handle_t* h = malloc(mallocSize); if (h) { h->version = sizeof(native_handle_t); h->numFds = numFds; |