ADHOC/replicant-frameworks_native
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

am 76ebd319: am 3d89edca: am e6f7a44e: Fix for corruption when numFds or numInts is too large.

Browse Source 
* commit '76ebd319d96494049a2a598f4449c0ec417220f6':
  Fix for corruption when numFds or numInts is too large.
This commit is contained in:
Michael Lentine 2014-12-02 18:04:09 +00:00 committed by Android Git Automerger
commit d6308379d9
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libs/ui/GraphicBuffer.cpp
View File

@ -251,10 +251,19 @@ status_t GraphicBuffer::unflatten(
const size_t numFds = buf[6]; const size_t numFds = buf[6];
const size_t numInts = buf[7]; const size_t numInts = buf[7];
const size_t maxNumber = UINT_MAX / sizeof(int);
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: numFds or numInts is too large: %d, %d",
numFds, numInts);
return BAD_VALUE;
}
const size_t sizeNeeded = (8 + numInts) * sizeof(int); const size_t sizeNeeded = (8 + numInts) * sizeof(int);
if (size < sizeNeeded) return NO_MEMORY; if (size < sizeNeeded) return NO_MEMORY;
size_t fdCountNeeded = 0; size_t fdCountNeeded = numFds;
if (count < fdCountNeeded) return NO_MEMORY; if (count < fdCountNeeded) return NO_MEMORY;
if (handle) { if (handle) {
@ -269,6 +278,12 @@ status_t GraphicBuffer::unflatten(
format = buf[4]; format = buf[4];
usage = buf[5]; usage = buf[5];
native_handle* h = native_handle_create(numFds, numInts); native_handle* h = native_handle_create(numFds, numInts);
if (!h) {
width = height = stride = format = usage = 0;
handle = NULL;
ALOGE("unflatten: native_handle_create failed");
return NO_MEMORY;
}
memcpy(h->data, fds, numFds*sizeof(int)); memcpy(h->data, fds, numFds*sizeof(int));
memcpy(h->data + numFds, &buf[8], numInts*sizeof(int)); memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
handle = h; handle = h;