Fix for corruption when numFds or numInts is too large.

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4)
This commit is contained in:
Michael Lentine 2014-10-31 15:25:03 -07:00 committed by Dan Albert
parent f8954c81a4
commit 3880326857

View File

@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten(
const size_t numFds = buf[8];
const size_t numInts = buf[9];
const size_t maxNumber = UINT_MAX / sizeof(int);
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: numFds or numInts is too large: %d, %d",
numFds, numInts);
return BAD_VALUE;
}
const size_t sizeNeeded = (10 + numInts) * sizeof(int);
if (size < sizeNeeded) return NO_MEMORY;
size_t fdCountNeeded = 0;
size_t fdCountNeeded = numFds;
if (count < fdCountNeeded) return NO_MEMORY;
if (handle) {
@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten(
format = buf[4];
usage = buf[5];
native_handle* h = native_handle_create(numFds, numInts);
if (!h) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: native_handle_create failed");
return NO_MEMORY;
}
memcpy(h->data, fds, numFds*sizeof(int));
memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));
handle = h;