From 0d46d72ec922f94d8d5b9f476a91e5be46956824 Mon Sep 17 00:00:00 2001 From: Adam Lesinski Date: Tue, 12 May 2015 17:35:48 -0700 Subject: Verify that the native handle was created The inputs to native_handle_create can cause an overflowed allocation, so check the return value of native_handle_create before accessing the memory it returns. Bug:19334482 Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2 (cherry picked from commit eaac99a7172da52a76ba48c26413778a74951b1a) Tested-by: Wolfgang Wiedmeyer --- libs/binder/Parcel.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index dc848cb..b3b1c80 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -1077,6 +1077,10 @@ native_handle* Parcel::readNativeHandle() const if (err != NO_ERROR) return 0; native_handle* h = native_handle_create(numFds, numInts); + if (!h) { + return 0; + } + for (int i=0 ; err==NO_ERROR && idata[i] = dup(readFileDescriptor()); if (h->data[i] < 0) err = BAD_VALUE; -- cgit v1.1