Check that width and height parameters are small.
The product of width and height should be less than UINT32_MAX (in practice smaller). Adding the checks prevents overflows when allocating buffers. Bug: 20726612 Change-Id: I9769edf0688a9bfe69906d49fa0540cadf4c49b0
This commit is contained in:
parent
6e1a2fea67
commit
1c4537e2e8
@ -394,7 +394,13 @@ EGLBoolean egl_window_surface_v2_t::connect()
|
|||||||
depth.width = width;
|
depth.width = width;
|
||||||
depth.height = height;
|
depth.height = height;
|
||||||
depth.stride = depth.width; // use the width here
|
depth.stride = depth.width; // use the width here
|
||||||
depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
|
uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
|
||||||
|
static_cast<uint64_t>(depth.height) * 2;
|
||||||
|
if (depth.stride < 0 || depth.height > INT_MAX ||
|
||||||
|
allocSize > UINT32_MAX) {
|
||||||
|
return setError(EGL_BAD_ALLOC, EGL_FALSE);
|
||||||
|
}
|
||||||
|
depth.data = (GGLubyte*)malloc(allocSize);
|
||||||
if (depth.data == 0) {
|
if (depth.data == 0) {
|
||||||
return setError(EGL_BAD_ALLOC, EGL_FALSE);
|
return setError(EGL_BAD_ALLOC, EGL_FALSE);
|
||||||
}
|
}
|
||||||
@ -548,7 +554,14 @@ EGLBoolean egl_window_surface_v2_t::swapBuffers()
|
|||||||
depth.width = width;
|
depth.width = width;
|
||||||
depth.height = height;
|
depth.height = height;
|
||||||
depth.stride = buffer->stride;
|
depth.stride = buffer->stride;
|
||||||
depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
|
uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
|
||||||
|
static_cast<uint64_t>(depth.height) * 2;
|
||||||
|
if (depth.stride < 0 || depth.height > INT_MAX ||
|
||||||
|
allocSize > UINT32_MAX) {
|
||||||
|
setError(EGL_BAD_ALLOC, EGL_FALSE);
|
||||||
|
return EGL_FALSE;
|
||||||
|
}
|
||||||
|
depth.data = (GGLubyte*)malloc(allocSize);
|
||||||
if (depth.data == 0) {
|
if (depth.data == 0) {
|
||||||
setError(EGL_BAD_ALLOC, EGL_FALSE);
|
setError(EGL_BAD_ALLOC, EGL_FALSE);
|
||||||
return EGL_FALSE;
|
return EGL_FALSE;
|
||||||
@ -666,7 +679,14 @@ egl_pixmap_surface_t::egl_pixmap_surface_t(EGLDisplay dpy,
|
|||||||
depth.width = pixmap->width;
|
depth.width = pixmap->width;
|
||||||
depth.height = pixmap->height;
|
depth.height = pixmap->height;
|
||||||
depth.stride = depth.width; // use the width here
|
depth.stride = depth.width; // use the width here
|
||||||
depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
|
uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
|
||||||
|
static_cast<uint64_t>(depth.height) * 2;
|
||||||
|
if (depth.stride < 0 || depth.height > INT_MAX ||
|
||||||
|
allocSize > UINT32_MAX) {
|
||||||
|
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
depth.data = (GGLubyte*)malloc(allocSize);
|
||||||
if (depth.data == 0) {
|
if (depth.data == 0) {
|
||||||
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
||||||
}
|
}
|
||||||
@ -746,7 +766,14 @@ egl_pbuffer_surface_t::egl_pbuffer_surface_t(EGLDisplay dpy,
|
|||||||
depth.width = pbuffer.width;
|
depth.width = pbuffer.width;
|
||||||
depth.height = pbuffer.height;
|
depth.height = pbuffer.height;
|
||||||
depth.stride = depth.width; // use the width here
|
depth.stride = depth.width; // use the width here
|
||||||
depth.data = (GGLubyte*)malloc(depth.stride*depth.height*2);
|
uint64_t allocSize = static_cast<uint64_t>(depth.stride) *
|
||||||
|
static_cast<uint64_t>(depth.height) * 2;
|
||||||
|
if (depth.stride < 0 || depth.height > INT_MAX ||
|
||||||
|
allocSize > UINT32_MAX) {
|
||||||
|
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
depth.data = (GGLubyte*)malloc(allocSize);
|
||||||
if (depth.data == 0) {
|
if (depth.data == 0) {
|
||||||
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
setError(EGL_BAD_ALLOC, EGL_NO_SURFACE);
|
||||||
return;
|
return;
|
||||||
|
Loading…
Reference in New Issue
Block a user