From e6eb42cb2e57747e52e488d54da314bc6eabb546 Mon Sep 17 00:00:00 2001
From: Chia-I Wu <olv@google.com>
Date: Tue, 9 Oct 2018 15:22:46 -0700
Subject: libui: add boundary check to GraphicBuffer::unflatten

Commit cb496acbe593326e8d5d563847067d02b2df40ec removed the boundary
check by accident.

Bug: 114223584
Test: manual
Change-Id: I057bc02d5807e438530d1a5327c2e02b9d154151
(cherry picked from commit bf8d7210c4bbbdc875e9695a301cdf9c3b544279)
---
 libs/ui/GraphicBuffer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index c8805000a4..6235bd6cc4 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -372,6 +372,10 @@ status_t GraphicBuffer::flatten(void*& buffer, size_t& size, int*& fds, size_t&
 
 status_t GraphicBuffer::unflatten(
         void const*& buffer, size_t& size, int const*& fds, size_t& count) {
+    if (size < 12 * sizeof(int)) {
+        android_errorWriteLog(0x534e4554, "114223584");
+        return NO_MEMORY;
+    }
 
     int const* buf = static_cast<int const*>(buffer);
 
-- 
cgit v1.2.3