From a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59 Mon Sep 17 00:00:00 2001
From: Chris Forbes <chrisforbes@google.com>
Date: Wed, 10 May 2017 13:12:00 -0700
Subject: [PATCH] ui: Fix bad size check in Fence::unflatten

Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.

Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)

CVE-2017-0666

Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
---
 libs/ui/Fence.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp
index bf24ffb7e..1b2f34dfa 100644
--- a/libs/ui/Fence.cpp
+++ b/libs/ui/Fence.cpp
@@ -157,7 +157,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si
         return INVALID_OPERATION;
     }
 
-    if (size < 1) {
+    if (size < getFlattenedSize()) {
         return NO_MEMORY;
     }