Google Git
Sign in
android / platform / frameworks / native / e5753ba087fa59ee02f6026cc13b1ceb42a1f266
commite5753ba087fa59ee02f6026cc13b1ceb42a1f266[log] [tgz]
authorCasey Dahlin <sadmac@google.com>Wed Oct 26 17:18:25 2016 -0700
committergitbuildkicker <android-build@google.com>Thu Dec 01 14:47:04 2016 -0800
tree636e7683ce010761d3713048814100fc824ac5fd
parentf14208e0390d8ee20ee4a5d7605d614e8b1abaf1 [diff]
Fix integer overflow in unsafeReadTypedVector

Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.

Test: Verified reproducer attached to bug no longer crashes Camera
      service.
Bug: 31677614

Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7
(cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
1 file changed
tree: 636e7683ce010761d3713048814100fc824ac5fd
  1. aidl/
  2. build/
  3. cmds/
  4. data/
  5. docs/
  6. include/
  7. libs/
  8. opengl/
  9. services/
  10. vulkan/
  11. MODULE_LICENSE_APACHE2
  12. NOTICE