SurfaceFlinger: Fix integer overflow in Mesh ctor

Performs range checking on the inputs to Mesh::Mesh() before allocating
the storage array.

Bug: 20674682
Change-Id: I4fc918a8c312d967dd6d9f91a098b2e0a7081027
This commit is contained in:
Dan Stoza 2015-04-29 13:30:31 -07:00
parent 8de71a2408
commit ab79e33ef3

View File

@ -16,14 +16,40 @@
#include "Mesh.h" #include "Mesh.h"
#include <utils/Log.h>
namespace android { namespace android {
Mesh::Mesh(Primitive primitive, size_t vertexCount, size_t vertexSize, size_t texCoordSize) Mesh::Mesh(Primitive primitive, size_t vertexCount, size_t vertexSize, size_t texCoordSize)
: mVertexCount(vertexCount), mVertexSize(vertexSize), mTexCoordsSize(texCoordSize), : mVertexCount(vertexCount), mVertexSize(vertexSize), mTexCoordsSize(texCoordSize),
mPrimitive(primitive) mPrimitive(primitive)
{ {
mVertices = new float[(vertexSize + texCoordSize) * vertexCount]; if (vertexCount == 0) {
mStride = mVertexSize + mTexCoordsSize; mVertices = new float[1];
mVertices[0] = 0.0f;
mStride = 0;
return;
}
size_t stride = vertexSize + texCoordSize;
size_t remainder = (stride * vertexCount) / vertexCount;
// Since all of the input parameters are unsigned, if stride is less than
// either vertexSize or texCoordSize, it must have overflowed. remainder
// will be equal to stride as long as stride * vertexCount doesn't overflow.
if ((stride < vertexSize) || (remainder != stride)) {
ALOGE("Overflow in Mesh(..., %zu, %zu, %zu)", vertexCount, vertexSize,
texCoordSize);
mVertices = new float[1];
mVertices[0] = 0.0f;
mVertexCount = 0;
mVertexSize = 0;
mTexCoordsSize = 0;
mStride = 0;
return;
}
mVertices = new float[stride * vertexCount];
mStride = stride;
} }
Mesh::~Mesh() { Mesh::~Mesh() {