am 26645298: Merge "Fix for corruption when numFds or numInts is too large." into lmp-mr1-dev

* commit '26645298400c0ae3a95731388364263d6a914ee4':
  Fix for corruption when numFds or numInts is too large.
This commit is contained in:
Michael Lentine 2014-11-05 19:06:19 +00:00 committed by Android Git Automerger
commit a2f27a0d63

View File

@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten(
const size_t numFds = buf[8]; const size_t numFds = buf[8];
const size_t numInts = buf[9]; const size_t numInts = buf[9];
const size_t maxNumber = UINT_MAX / sizeof(int);
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: numFds or numInts is too large: %d, %d",
numFds, numInts);
return BAD_VALUE;
}
const size_t sizeNeeded = (10 + numInts) * sizeof(int); const size_t sizeNeeded = (10 + numInts) * sizeof(int);
if (size < sizeNeeded) return NO_MEMORY; if (size < sizeNeeded) return NO_MEMORY;
size_t fdCountNeeded = 0; size_t fdCountNeeded = numFds;
if (count < fdCountNeeded) return NO_MEMORY; if (count < fdCountNeeded) return NO_MEMORY;
if (handle) { if (handle) {
@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten(
format = buf[4]; format = buf[4];
usage = buf[5]; usage = buf[5];
native_handle* h = native_handle_create(numFds, numInts); native_handle* h = native_handle_create(numFds, numInts);
if (!h) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: native_handle_create failed");
return NO_MEMORY;
}
memcpy(h->data, fds, numFds*sizeof(int)); memcpy(h->data, fds, numFds*sizeof(int));
memcpy(h->data + numFds, &buf[10], numInts*sizeof(int)); memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));
handle = h; handle = h;