summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChia-I Wu <olv@google.com>2018-10-09 15:22:46 -0700
committerandroid-build-team Robot <android-build-team-robot@google.com>2018-10-20 00:18:00 +0000
commit955ef12c555fdc227154182965ecc42dd423f898 (patch)
treec793398f5c63dfbe258254bb50528c9ca1955f4f
parentee5a769a46085b414b3b48b94a0ee541b4bbdabc (diff)
downloadnative-955ef12c555fdc227154182965ecc42dd423f898.tar.gz
libui: add boundary check to GraphicBuffer::unflatten
Commit cb496acbe593326e8d5d563847067d02b2df40ec removed the boundary check by accident. Bug: 114223584 Test: manual Change-Id: I057bc02d5807e438530d1a5327c2e02b9d154151 (cherry picked from commit bf8d7210c4bbbdc875e9695a301cdf9c3b544279)
-rw-r--r--libs/ui/GraphicBuffer.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 254038b0ad..7670ac6fbd 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -377,6 +377,10 @@ status_t GraphicBuffer::flatten(void*& buffer, size_t& size, int*& fds, size_t&
status_t GraphicBuffer::unflatten(
void const*& buffer, size_t& size, int const*& fds, size_t& count) {
+ if (size < 12 * sizeof(int)) {
+ android_errorWriteLog(0x534e4554, "114223584");
+ return NO_MEMORY;
+ }
int const* buf = static_cast<int const*>(buffer);