diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp index 425df389b..638ac6299 100644 --- a/libs/ui/GraphicBuffer.cpp +++ b/libs/ui/GraphicBuffer.cpp @@ -323,7 +323,11 @@ status_t GraphicBuffer::unflatten( const size_t numFds = static_cast(buf[8]); const size_t numInts = static_cast(buf[9]); - const size_t maxNumber = UINT_MAX / sizeof(int); + // Limit the maxNumber to be relatively small. The number of fds or ints + // should not come close to this number, and the number itself was simply + // chosen to be high enough to not cause issues and low enough to prevent + // overflow problems. + const size_t maxNumber = 4096; if (numFds >= maxNumber || numInts >= (maxNumber - 10)) { width = height = stride = format = usage = 0; handle = NULL;