SurfaceFlinger: Fix integer overflow in Mesh ctor
Performs range checking on the inputs to Mesh::Mesh() before allocating the storage array. Bug: 20674682 Change-Id: I4fc918a8c312d967dd6d9f91a098b2e0a7081027
This commit is contained in:
parent
8de71a2408
commit
ab79e33ef3
@ -16,14 +16,40 @@
|
|||||||
|
|
||||||
#include "Mesh.h"
|
#include "Mesh.h"
|
||||||
|
|
||||||
|
#include <utils/Log.h>
|
||||||
|
|
||||||
namespace android {
|
namespace android {
|
||||||
|
|
||||||
Mesh::Mesh(Primitive primitive, size_t vertexCount, size_t vertexSize, size_t texCoordSize)
|
Mesh::Mesh(Primitive primitive, size_t vertexCount, size_t vertexSize, size_t texCoordSize)
|
||||||
: mVertexCount(vertexCount), mVertexSize(vertexSize), mTexCoordsSize(texCoordSize),
|
: mVertexCount(vertexCount), mVertexSize(vertexSize), mTexCoordsSize(texCoordSize),
|
||||||
mPrimitive(primitive)
|
mPrimitive(primitive)
|
||||||
{
|
{
|
||||||
mVertices = new float[(vertexSize + texCoordSize) * vertexCount];
|
if (vertexCount == 0) {
|
||||||
mStride = mVertexSize + mTexCoordsSize;
|
mVertices = new float[1];
|
||||||
|
mVertices[0] = 0.0f;
|
||||||
|
mStride = 0;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t stride = vertexSize + texCoordSize;
|
||||||
|
size_t remainder = (stride * vertexCount) / vertexCount;
|
||||||
|
// Since all of the input parameters are unsigned, if stride is less than
|
||||||
|
// either vertexSize or texCoordSize, it must have overflowed. remainder
|
||||||
|
// will be equal to stride as long as stride * vertexCount doesn't overflow.
|
||||||
|
if ((stride < vertexSize) || (remainder != stride)) {
|
||||||
|
ALOGE("Overflow in Mesh(..., %zu, %zu, %zu)", vertexCount, vertexSize,
|
||||||
|
texCoordSize);
|
||||||
|
mVertices = new float[1];
|
||||||
|
mVertices[0] = 0.0f;
|
||||||
|
mVertexCount = 0;
|
||||||
|
mVertexSize = 0;
|
||||||
|
mTexCoordsSize = 0;
|
||||||
|
mStride = 0;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mVertices = new float[stride * vertexCount];
|
||||||
|
mStride = stride;
|
||||||
}
|
}
|
||||||
|
|
||||||
Mesh::~Mesh() {
|
Mesh::~Mesh() {
|
||||||
|
Loading…
Reference in New Issue
Block a user