diff options
author | Lajos Molnar <lajos@google.com> | 2014-03-24 16:18:36 -0700 |
---|---|---|
committer | Lajos Molnar <lajos@google.com> | 2014-03-24 19:18:31 -0700 |
commit | eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda (patch) | |
tree | 18f2e7cd60173d83caf6bfa8158cdc7ba71bbc12 /media/mtp | |
parent | 55d15957bc44d11052e1cb3eea3340ec00f70bae (diff) | |
download | frameworks_av-eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda.zip frameworks_av-eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda.tar.gz frameworks_av-eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda.tar.bz2 |
mtp: avoid silent allocation overflow in MtpProperty
Bug: 13006907
Change-Id: Ice0352394840132c9c2ce6c28366632c792a32c0
Diffstat (limited to 'media/mtp')
-rw-r--r-- | media/mtp/MtpProperty.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/media/mtp/MtpProperty.cpp b/media/mtp/MtpProperty.cpp index 3838ce8..c500901 100644 --- a/media/mtp/MtpProperty.cpp +++ b/media/mtp/MtpProperty.cpp @@ -17,6 +17,7 @@ #define LOG_TAG "MtpProperty" #include <inttypes.h> +#include <cutils/compiler.h> #include "MtpDataPacket.h" #include "MtpDebug.h" #include "MtpProperty.h" @@ -518,8 +519,14 @@ void MtpProperty::writeValue(MtpDataPacket& packet, MtpPropertyValue& value) { MtpPropertyValue* MtpProperty::readArrayValues(MtpDataPacket& packet, int& length) { length = packet.getUInt32(); - if (length == 0) + // Fail if resulting array is over 2GB. This is because the maximum array + // size may be less than SIZE_MAX on some platforms. + if ( CC_UNLIKELY( + length == 0 || + length >= INT32_MAX / sizeof(MtpPropertyValue)) ) { + length = 0; return NULL; + } MtpPropertyValue* result = new MtpPropertyValue[length]; for (int i = 0; i < length; i++) readValue(packet, result[i]); |