Region: Detect malicious overflow in unflatten
Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
This commit is contained in:
parent
54cb02ad73
commit
07cd4cdf21
@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
|
||||
return NO_MEMORY;
|
||||
}
|
||||
|
||||
if (numRects > (UINT32_MAX / sizeof(Rect))) {
|
||||
android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
|
||||
return NO_MEMORY;
|
||||
}
|
||||
|
||||
Region result;
|
||||
result.mStorage.clear();
|
||||
for (size_t r = 0; r < numRects; ++r) {
|
||||
|
Loading…
Reference in New Issue
Block a user