diff options
author | Michael Lentine <mlentine@google.com> | 2014-10-31 15:25:03 -0700 |
---|---|---|
committer | Dan Albert <danalbert@google.com> | 2014-12-04 17:49:31 -0800 |
commit | 38803268570f90e97452cd9a30ac831661829091 (patch) | |
tree | faf6fa72d3f92d3a7e92bf768d589e2800e59e42 | |
parent | f8954c81a4ec43958867d1f6f497ef449bf091fd (diff) | |
download | native-38803268570f90e97452cd9a30ac831661829091.tar.gz |
Fix for corruption when numFds or numInts is too large.
Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118)
-rw-r--r-- | libs/ui/GraphicBuffer.cpp | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp index 9b0bd601cb..e768f13cf4 100644 --- a/libs/ui/GraphicBuffer.cpp +++ b/libs/ui/GraphicBuffer.cpp @@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten( const size_t numFds = buf[8]; const size_t numInts = buf[9]; + const size_t maxNumber = UINT_MAX / sizeof(int); + if (numFds >= maxNumber || numInts >= (maxNumber - 10)) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: numFds or numInts is too large: %d, %d", + numFds, numInts); + return BAD_VALUE; + } + const size_t sizeNeeded = (10 + numInts) * sizeof(int); if (size < sizeNeeded) return NO_MEMORY; - size_t fdCountNeeded = 0; + size_t fdCountNeeded = numFds; if (count < fdCountNeeded) return NO_MEMORY; if (handle) { @@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten( format = buf[4]; usage = buf[5]; native_handle* h = native_handle_create(numFds, numInts); + if (!h) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: native_handle_create failed"); + return NO_MEMORY; + } memcpy(h->data, fds, numFds*sizeof(int)); memcpy(h->data + numFds, &buf[10], numInts*sizeof(int)); handle = h; |