diff options
| author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 03:39:03 +0200 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 03:39:03 +0200 |
| commit | ec0731bc1aaeeba6ee74cfafa1688b5a7740549a (patch) | |
| tree | f0352739140a26ff02b373c208753edfd6daf948 | |
| parent | bb35eca0884d71ba863044f2bb71623e83a419cc (diff) | |
| download | frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.zip frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.tar.gz frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.tar.bz2 | |
Fix for CVE-2015-1536
Port of upstream commit d44e5bde18a41beda39d49189bef7f2ba7c8f3cb
from Leon Scroggins III <scroggo@google.com>
Original commit message:
Make Bitmap_createFromParcel check the color count. DO NOT MERGE
When reading from the parcel, if the number of colors is invalid, early
exit.
Add two more checks: setInfo must return true, and Parcel::readInplace
must return non-NULL. The former ensures that the previously read values
(width, height, etc) were valid, and the latter checks that the Parcel
had enough data even if the number of colors was reasonable.
Also use an auto-deleter to handle deletion of the SkBitmap.
Cherry pick from change-Id: Icbd562d6d1f131a723724883fd31822d337cf5a6
BUG=19666945
Change-Id: Iab0d218c41ae0c39606e333e44cda078eef32291
| -rw-r--r-- | core/jni/android/graphics/Bitmap.cpp | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/core/jni/android/graphics/Bitmap.cpp b/core/jni/android/graphics/Bitmap.cpp index 7c5da26..74f91d2 100644 --- a/core/jni/android/graphics/Bitmap.cpp +++ b/core/jni/android/graphics/Bitmap.cpp @@ -394,24 +394,31 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { return NULL;
}
- SkBitmap* bitmap = new SkBitmap;
+ SkAutoTDelete<SkBitmap> bitmap(new SkBitmap);
bitmap->setConfig(config, width, height, rowBytes);
SkColorTable* ctable = NULL;
if (config == SkBitmap::kIndex8_Config) {
int count = p->readInt32();
+ if (count < 0 || count > 256) {
+ // The data is corrupt, since SkColorTable enforces a value between 0 and 256,
+ // inclusive.
+ return NULL;
+ }
if (count > 0) {
size_t size = count * sizeof(SkPMColor);
const SkPMColor* src = (const SkPMColor*)p->readInplace(size);
+ if (src == NULL) {
+ return NULL;
+ }
ctable = new SkColorTable(src, count);
}
}
- jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap, ctable);
+ jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap.get(), ctable);
if (NULL == buffer) {
SkSafeUnref(ctable);
- delete bitmap;
return NULL;
}
@@ -423,7 +430,6 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { android::status_t status = p->readBlob(size, &blob);
if (status) {
doThrowRE(env, "Could not read bitmap from parcel blob.");
- delete bitmap;
return NULL;
}
@@ -432,7 +438,7 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { bitmap->unlockPixels();
blob.release();
- return GraphicsJNI::createBitmap(env, bitmap, buffer, isMutable, NULL, NULL, density);
+ return GraphicsJNI::createBitmap(env, bitmap.detach(), buffer, isMutable, NULL, NULL, density);
}
static jboolean Bitmap_writeToParcel(JNIEnv* env, jobject,
|