diff options
author | Pablo Ceballos <pceballos@google.com> | 2016-07-13 14:11:57 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-07-21 17:14:11 -0700 |
commit | 9e69dc3e20ec4f3ed474989ccbf6dbd7f79a7455 (patch) | |
tree | 9b9978a1cfcf64ce4319da736d9ffb7e1948af73 | |
parent | 44d3dc299074c058e871a713d1946e7715393a0b (diff) | |
download | native-9e69dc3e20ec4f3ed474989ccbf6dbd7f79a7455.tar.gz |
Region: Detect malicious overflow in unflattenandroid-6.0.1_r68android-6.0.1_r67marshmallow-dr1.6-release
Bug 29983260
Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
-rw-r--r-- | libs/ui/Region.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index 3810da4049..cfed7a984c 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) { return NO_MEMORY; } + if (numRects > (UINT32_MAX / sizeof(Rect))) { + android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0); + return NO_MEMORY; + } + Region result; result.mStorage.clear(); for (size_t r = 0; r < numRects; ++r) { |