Region: Detect malicious overflow in unflatten

Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
This commit is contained in:
Pablo Ceballos 2016-07-13 14:11:57 -07:00 committed by gitbuildkicker
parent 54cb02ad73
commit 07cd4cdf21

View File

@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
return NO_MEMORY;
}
if (numRects > (UINT32_MAX / sizeof(Rect))) {
android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
return NO_MEMORY;
}
Region result;
result.mStorage.clear();
for (size_t r = 0; r < numRects; ++r) {