diff options
author | Sergio Giro <sgiro@google.com> | 2015-08-18 17:36:50 +0100 |
---|---|---|
committer | ] <sgiro@google.com> | 2015-08-25 17:40:47 +0100 |
commit | d95e47f13633feac9adb4ec5ce29392cfb628591 (patch) | |
tree | 26356da86e858df6d4b281f1b5f2b83a1d629d4c /libutils/SharedBuffer.cpp | |
parent | 219a006f89a5448a9a6eeb1f37ad0088e85bd3f8 (diff) | |
download | system_core-d95e47f13633feac9adb4ec5ce29392cfb628591.zip system_core-d95e47f13633feac9adb4ec5ce29392cfb628591.tar.gz system_core-d95e47f13633feac9adb4ec5ce29392cfb628591.tar.bz2 |
libutils: fix overflow in SharedBuffer [DO NOT MERGE]
See
https://code.google.com/p/android/issues/detail?id=181910
Bug: 22952485
(cherry picked from commit 66b6eb9490beeeabc804d790c1c4060ce047afd4)
Change-Id: I363f49b5b3c6b7b3ac08cba2c14d72c431588c5a
Diffstat (limited to 'libutils/SharedBuffer.cpp')
-rw-r--r-- | libutils/SharedBuffer.cpp | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/libutils/SharedBuffer.cpp b/libutils/SharedBuffer.cpp index 3555fb7..947551a 100644 --- a/libutils/SharedBuffer.cpp +++ b/libutils/SharedBuffer.cpp @@ -14,9 +14,12 @@ * limitations under the License. */ +#define __STDC_LIMIT_MACROS +#include <stdint.h> #include <stdlib.h> #include <string.h> +#include <log/log.h> #include <utils/SharedBuffer.h> #include <utils/Atomic.h> @@ -26,6 +29,11 @@ namespace android { SharedBuffer* SharedBuffer::alloc(size_t size) { + // Don't overflow if the combined size of the buffer / header is larger than + // size_max. + LOG_ALWAYS_FATAL_IF((size >= (SIZE_MAX - sizeof(SharedBuffer))), + "Invalid buffer size %zu", size); + SharedBuffer* sb = static_cast<SharedBuffer *>(malloc(sizeof(SharedBuffer) + size)); if (sb) { sb->mRefs = 1; @@ -52,7 +60,7 @@ SharedBuffer* SharedBuffer::edit() const memcpy(sb->data(), data(), size()); release(); } - return sb; + return sb; } SharedBuffer* SharedBuffer::editResize(size_t newSize) const @@ -60,6 +68,11 @@ SharedBuffer* SharedBuffer::editResize(size_t newSize) const if (onlyOwner()) { SharedBuffer* buf = const_cast<SharedBuffer*>(this); if (buf->mSize == newSize) return buf; + // Don't overflow if the combined size of the new buffer / header is larger than + // size_max. + LOG_ALWAYS_FATAL_IF((newSize >= (SIZE_MAX - sizeof(SharedBuffer))), + "Invalid buffer size %zu", newSize); + buf = (SharedBuffer*)realloc(buf, sizeof(SharedBuffer) + newSize); if (buf != NULL) { buf->mSize = newSize; |