From 1ecb999624165ea2a9cf5e16b3f7e93358d503d6 Mon Sep 17 00:00:00 2001
From: Pablo Ceballos <pceballos@google.com>
Date: Wed, 13 Jul 2016 14:11:57 -0700
Subject: [PATCH] Region: Detect malicious overflow in unflatten

Bug 29983260

Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
---
 libs/ui/Region.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp
index 3810da404..cfed7a984 100644
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
         return NO_MEMORY;
     }
 
+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
     Region result;
     result.mStorage.clear();
     for (size_t r = 0; r < numRects; ++r) {