summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Lentine <mlentine@google.com>2014-10-31 15:25:03 -0700
committerPaul Kocialkowski <contact@paulk.fr>2015-08-30 23:11:16 +0200
commit05067332213173e408a98c070602fa2046e102ec (patch)
treef5500b5ce5d9eae088ad861eb84b73ab6325f254
parentdbad3f4c4e1df1f3207450e7b815030b6803e3c4 (diff)
downloadframeworks_native-05067332213173e408a98c070602fa2046e102ec.zip
frameworks_native-05067332213173e408a98c070602fa2046e102ec.tar.gz
frameworks_native-05067332213173e408a98c070602fa2046e102ec.tar.bz2
Fix for corruption when numFds or numInts is too large.
Bug: 18076253 Change-Id: I4c5935440013fc755e1d123049290383f4659fb6 (cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118) Signed-off-by: Michael Lentine <mlentine@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--libs/ui/GraphicBuffer.cpp18
1 files changed, 17 insertions, 1 deletions
diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 219375e..4069fbc 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -272,10 +272,20 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
const size_t numFds = buf[6];
const size_t numInts = buf[7];
+ const size_t maxNumber = UINT_MAX / sizeof(int);
+ if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
+ width = height = stride = format = usage = 0;
+ handle = NULL;
+ ALOGE("unflatten: numFds or numInts is too large: %d, %d",
+ numFds, numInts);
+ return BAD_VALUE;
+ }
+
+
const size_t sizeNeeded = (8 + numInts) * sizeof(int);
if (size < sizeNeeded) return NO_MEMORY;
- size_t fdCountNeeded = 0;
+ size_t fdCountNeeded = numFds;
if (count < fdCountNeeded) return NO_MEMORY;
if (handle) {
@@ -290,6 +300,12 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
format = buf[4];
usage = buf[5];
native_handle* h = native_handle_create(numFds, numInts);
+ if (!h) {
+ width = height = stride = format = usage = 0;
+ handle = NULL;
+ ALOGE("unflatten: native_handle_create failed");
+ return NO_MEMORY;
+ }
memcpy(h->data, fds, numFds*sizeof(int));
memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
handle = h;