Fix for corruption when numFds or numInts is too large.

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118)
Signed-off-by: Michael Lentine <mlentine@google.com>
Tested-by: Moritz Bandemer <replicant@posteo.mx>

1 files changed, 17 insertions, 1 deletions

diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 219375e..4069fbc 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -272,10 +272,20 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
     const size_t numFds  = buf[6];
     const size_t numInts = buf[7];
 
+    const size_t maxNumber = UINT_MAX / sizeof(int);
+    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
+        width = height = stride = format = usage = 0;
+        handle = NULL;
+        ALOGE("unflatten: numFds or numInts is too large: %d, %d",
+                numFds, numInts);
+        return BAD_VALUE;
+    }
+
+
     const size_t sizeNeeded = (8 + numInts) * sizeof(int);
     if (size < sizeNeeded) return NO_MEMORY;
 
-    size_t fdCountNeeded = 0;
+    size_t fdCountNeeded = numFds;
     if (count < fdCountNeeded) return NO_MEMORY;
 
     if (handle) {
@@ -290,6 +300,12 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
         format = buf[4];
         usage  = buf[5];
         native_handle* h = native_handle_create(numFds, numInts);
+        if (!h) {
+            width = height = stride = format = usage = 0;
+            handle = NULL;
+            ALOGE("unflatten: native_handle_create failed");
+            return NO_MEMORY;
+        }
         memcpy(h->data,          fds,     numFds*sizeof(int));
         memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
         handle = h;