diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 03:39:03 +0200 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 03:39:03 +0200 |
commit | ec0731bc1aaeeba6ee74cfafa1688b5a7740549a (patch) | |
tree | f0352739140a26ff02b373c208753edfd6daf948 /core/jni/AndroidRuntime.cpp | |
parent | bb35eca0884d71ba863044f2bb71623e83a419cc (diff) | |
download | frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.zip frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.tar.gz frameworks_base-ec0731bc1aaeeba6ee74cfafa1688b5a7740549a.tar.bz2 |
Fix for CVE-2015-1536
Port of upstream commit d44e5bde18a41beda39d49189bef7f2ba7c8f3cb
from Leon Scroggins III <scroggo@google.com>
Original commit message:
Make Bitmap_createFromParcel check the color count. DO NOT MERGE
When reading from the parcel, if the number of colors is invalid, early
exit.
Add two more checks: setInfo must return true, and Parcel::readInplace
must return non-NULL. The former ensures that the previously read values
(width, height, etc) were valid, and the latter checks that the Parcel
had enough data even if the number of colors was reasonable.
Also use an auto-deleter to handle deletion of the SkBitmap.
Cherry pick from change-Id: Icbd562d6d1f131a723724883fd31822d337cf5a6
BUG=19666945
Change-Id: Iab0d218c41ae0c39606e333e44cda078eef32291
Diffstat (limited to 'core/jni/AndroidRuntime.cpp')
0 files changed, 0 insertions, 0 deletions