Fix for corruption when numFds or numInts is too large.
Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4
)
This commit is contained in:
parent
f8954c81a4
commit
3880326857
@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten(
|
||||
const size_t numFds = buf[8];
|
||||
const size_t numInts = buf[9];
|
||||
|
||||
const size_t maxNumber = UINT_MAX / sizeof(int);
|
||||
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
|
||||
width = height = stride = format = usage = 0;
|
||||
handle = NULL;
|
||||
ALOGE("unflatten: numFds or numInts is too large: %d, %d",
|
||||
numFds, numInts);
|
||||
return BAD_VALUE;
|
||||
}
|
||||
|
||||
const size_t sizeNeeded = (10 + numInts) * sizeof(int);
|
||||
if (size < sizeNeeded) return NO_MEMORY;
|
||||
|
||||
size_t fdCountNeeded = 0;
|
||||
size_t fdCountNeeded = numFds;
|
||||
if (count < fdCountNeeded) return NO_MEMORY;
|
||||
|
||||
if (handle) {
|
||||
@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten(
|
||||
format = buf[4];
|
||||
usage = buf[5];
|
||||
native_handle* h = native_handle_create(numFds, numInts);
|
||||
if (!h) {
|
||||
width = height = stride = format = usage = 0;
|
||||
handle = NULL;
|
||||
ALOGE("unflatten: native_handle_create failed");
|
||||
return NO_MEMORY;
|
||||
}
|
||||
memcpy(h->data, fds, numFds*sizeof(int));
|
||||
memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));
|
||||
handle = h;
|
||||
|
Loading…
Reference in New Issue
Block a user