From 0d46d72ec922f94d8d5b9f476a91e5be46956824 Mon Sep 17 00:00:00 2001
From: Adam Lesinski <adamlesinski@google.com>
Date: Tue, 12 May 2015 17:35:48 -0700
Subject: Verify that the native handle was created

The inputs to native_handle_create can cause an overflowed allocation,
so check the return value of native_handle_create before accessing
the memory it returns.

Bug:19334482
Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2
(cherry picked from commit eaac99a7172da52a76ba48c26413778a74951b1a)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
---
 libs/binder/Parcel.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index dc848cb..b3b1c80 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1077,6 +1077,10 @@ native_handle* Parcel::readNativeHandle() const
     if (err != NO_ERROR) return 0;
 
     native_handle* h = native_handle_create(numFds, numInts);
+    if (!h) {
+        return 0;
+    }
+
     for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
         h->data[i] = dup(readFileDescriptor());
         if (h->data[i] < 0) err = BAD_VALUE;
-- 
cgit v1.1