Region: Detect malicious overflow in unflatten

Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
2016-07-13 14:11:57 -07:00 · 2016-07-13 14:11:57 -07:00 · 1ecb999624
commit 1ecb999624
parent 3bcf0caa8c
1 changed files with 5 additions and 0 deletions
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
        return NO_MEMORY;
    }

+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
    Region result;
    result.mStorage.clear();
    for (size_t r = 0; r < numRects; ++r) {