Google Git
Sign in
android / platform / frameworks / native / 38803268570f90e97452cd9a30ac831661829091^! / .
commit38803268570f90e97452cd9a30ac831661829091[log] [tgz]
authorMichael Lentine <mlentine@google.com>Fri Oct 31 15:25:03 2014 -0700
committerDan Albert <danalbert@google.com>Thu Dec 04 17:49:31 2014 -0800
treefaf6fa72d3f92d3a7e92bf768d589e2800e59e42
parentf8954c81a4ec43958867d1f6f497ef449bf091fd [diff]
Fix for corruption when numFds or numInts is too large.

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118)

diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 9b0bd60..e768f13 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp

@@ -310,10 +310,19 @@
     const size_t numFds  = buf[8];
     const size_t numInts = buf[9];
 
+    const size_t maxNumber = UINT_MAX / sizeof(int);
+    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
+        width = height = stride = format = usage = 0;
+        handle = NULL;
+        ALOGE("unflatten: numFds or numInts is too large: %d, %d",
+                numFds, numInts);
+        return BAD_VALUE;
+    }
+
     const size_t sizeNeeded = (10 + numInts) * sizeof(int);
     if (size < sizeNeeded) return NO_MEMORY;
 
-    size_t fdCountNeeded = 0;
+    size_t fdCountNeeded = numFds;
     if (count < fdCountNeeded) return NO_MEMORY;
 
     if (handle) {
@@ -328,6 +337,12 @@
         format = buf[4];
         usage  = buf[5];
         native_handle* h = native_handle_create(numFds, numInts);
+        if (!h) {
+            width = height = stride = format = usage = 0;
+            handle = NULL;
+            ALOGE("unflatten: native_handle_create failed");
+            return NO_MEMORY;
+        }
         memcpy(h->data,          fds,     numFds*sizeof(int));
         memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));
         handle = h;