SurfaceFlinger: Fix integer overflow in Mesh ctor
Performs range checking on the inputs to Mesh::Mesh() before allocating the storage array. Bug: 20674682 Change-Id: I4fc918a8c312d967dd6d9f91a098b2e0a7081027
This commit is contained in:
parent
8de71a2408
commit
ab79e33ef3
@ -16,14 +16,40 @@
|
||||
|
||||
#include "Mesh.h"
|
||||
|
||||
#include <utils/Log.h>
|
||||
|
||||
namespace android {
|
||||
|
||||
Mesh::Mesh(Primitive primitive, size_t vertexCount, size_t vertexSize, size_t texCoordSize)
|
||||
: mVertexCount(vertexCount), mVertexSize(vertexSize), mTexCoordsSize(texCoordSize),
|
||||
mPrimitive(primitive)
|
||||
{
|
||||
mVertices = new float[(vertexSize + texCoordSize) * vertexCount];
|
||||
mStride = mVertexSize + mTexCoordsSize;
|
||||
if (vertexCount == 0) {
|
||||
mVertices = new float[1];
|
||||
mVertices[0] = 0.0f;
|
||||
mStride = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
size_t stride = vertexSize + texCoordSize;
|
||||
size_t remainder = (stride * vertexCount) / vertexCount;
|
||||
// Since all of the input parameters are unsigned, if stride is less than
|
||||
// either vertexSize or texCoordSize, it must have overflowed. remainder
|
||||
// will be equal to stride as long as stride * vertexCount doesn't overflow.
|
||||
if ((stride < vertexSize) || (remainder != stride)) {
|
||||
ALOGE("Overflow in Mesh(..., %zu, %zu, %zu)", vertexCount, vertexSize,
|
||||
texCoordSize);
|
||||
mVertices = new float[1];
|
||||
mVertices[0] = 0.0f;
|
||||
mVertexCount = 0;
|
||||
mVertexSize = 0;
|
||||
mTexCoordsSize = 0;
|
||||
mStride = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
mVertices = new float[stride * vertexCount];
|
||||
mStride = stride;
|
||||
}
|
||||
|
||||
Mesh::~Mesh() {
|
||||
|
Loading…
Reference in New Issue
Block a user