commit | e5753ba087fa59ee02f6026cc13b1ceb42a1f266 | [log] [tgz] |
---|---|---|
author | Casey Dahlin <sadmac@google.com> | Wed Oct 26 17:18:25 2016 -0700 |
committer | gitbuildkicker <android-build@google.com> | Thu Dec 01 14:47:04 2016 -0800 |
tree | 636e7683ce010761d3713048814100fc824ac5fd | |
parent | f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 [diff] |
Fix integer overflow in unsafeReadTypedVector Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)