diff options
| author | Sergio Giro <sgiro@google.com> | 2015-08-18 17:36:50 +0100 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 22:15:05 +0200 |
| commit | 7b9fb4924db8be8e33f1d41b53feb3d4e4966381 (patch) | |
| tree | f49cce32dd23f26b33faef1b932cb2bffd42599a | |
| parent | 8ea5d01e90ae680c425e72ae9d10965ea6c0bcff (diff) | |
| download | system_core-7b9fb4924db8be8e33f1d41b53feb3d4e4966381.zip system_core-7b9fb4924db8be8e33f1d41b53feb3d4e4966381.tar.gz system_core-7b9fb4924db8be8e33f1d41b53feb3d4e4966381.tar.bz2 | |
See
https://code.google.com/p/android/issues/detail?id=181910
Bug: 22952485
(cherry picked from commit 66b6eb9490beeeabc804d790c1c4060ce047afd4)
Change-Id: Ic71dd0025b9a7588c4f3bb1c7be1bd13d2ff5105
Conflicts:
libpixelflinger/tinyutils/SharedBuffer.cpp
libutils/Android.mk
| -rw-r--r-- | libpixelflinger/tinyutils/SharedBuffer.cpp | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/libpixelflinger/tinyutils/SharedBuffer.cpp b/libpixelflinger/tinyutils/SharedBuffer.cpp index ef781a7..730c6d8 100644 --- a/libpixelflinger/tinyutils/SharedBuffer.cpp +++ b/libpixelflinger/tinyutils/SharedBuffer.cpp @@ -6,11 +6,15 @@ * */ +#define __STDC_LIMIT_MACROS +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <cutils/atomic.h> +#define LOG_TAG "SharedBuffer" +#include <cutils/log.h> #include "tinyutils/SharedBuffer.h" // --------------------------------------------------------------------------- @@ -19,6 +23,11 @@ namespace android { SharedBuffer* SharedBuffer::alloc(size_t size) { + // Don't overflow if the combined size of the buffer / header is larger than + // size_max. + LOG_ALWAYS_FATAL_IF((size >= (SIZE_MAX - sizeof(SharedBuffer))), + "Invalid buffer size %zu", size); + SharedBuffer* sb = static_cast<SharedBuffer *>(malloc(sizeof(SharedBuffer) + size)); if (sb) { sb->mRefs = 1; @@ -45,7 +54,7 @@ SharedBuffer* SharedBuffer::edit() const memcpy(sb->data(), data(), size()); release(); } - return sb; + return sb; } SharedBuffer* SharedBuffer::editResize(size_t newSize) const @@ -53,6 +62,11 @@ SharedBuffer* SharedBuffer::editResize(size_t newSize) const if (onlyOwner()) { SharedBuffer* buf = const_cast<SharedBuffer*>(this); if (buf->mSize == newSize) return buf; + // Don't overflow if the combined size of the new buffer / header is larger than + // size_max. + LOG_ALWAYS_FATAL_IF((newSize >= (SIZE_MAX - sizeof(SharedBuffer))), + "Invalid buffer size %zu", newSize); + buf = (SharedBuffer*)realloc(buf, sizeof(SharedBuffer) + newSize); if (buf != NULL) { buf->mSize = newSize; |