diff options
author | Adam Lesinski <adamlesinski@google.com> | 2015-04-27 12:13:33 -0700 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 21:01:55 +0200 |
commit | 8ea5d01e90ae680c425e72ae9d10965ea6c0bcff (patch) | |
tree | 3362c6b578ad2bbb3c5d8b252705f4d790f5872f | |
parent | 47e9710fe5c8f9e72ab0370334101f38bfc279ab (diff) | |
download | system_core-8ea5d01e90ae680c425e72ae9d10965ea6c0bcff.zip system_core-8ea5d01e90ae680c425e72ae9d10965ea6c0bcff.tar.gz system_core-8ea5d01e90ae680c425e72ae9d10965ea6c0bcff.tar.bz2 |
Prevent integer overflow when allocating native_handle_t
User specified values of numInts and numFds can overflow
and cause malloc to allocate less than we expect, causing
heap corruption in subsequent operations on the allocation.
Bug: 19334482
Change-Id: I43c75f536ea4c08f14ca12ca6288660fd2d1ec55
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
-rw-r--r-- | libcutils/native_handle.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/libcutils/native_handle.c b/libcutils/native_handle.c index 4089968..61fa38e 100644 --- a/libcutils/native_handle.c +++ b/libcutils/native_handle.c @@ -25,14 +25,22 @@ #include <cutils/log.h> #include <cutils/native_handle.h> +static const int kMaxNativeFds = 1024; +static const int kMaxNativeInts = 1024; + native_handle_t* native_handle_create(int numFds, int numInts) { - native_handle_t* h = malloc( - sizeof(native_handle_t) + sizeof(int)*(numFds+numInts)); + if (numFds < 0 || numInts < 0 || numFds > kMaxNativeFds || numInts > kMaxNativeInts) { + return NULL; + } - h->version = sizeof(native_handle_t); - h->numFds = numFds; - h->numInts = numInts; + size_t mallocSize = sizeof(native_handle_t) + (sizeof(int) * (numFds + numInts)); + native_handle_t* h = malloc(mallocSize); + if (h) { + h->version = sizeof(native_handle_t); + h->numFds = numFds; + h->numInts = numInts; + } return h; } |