Issue #1251 ยป CVE-2015-1474.patch
| libs/ui/GraphicBuffer.cpp | ||
|---|---|---|
| 272 | 272 |
const size_t numFds = buf[6]; |
| 273 | 273 |
const size_t numInts = buf[7]; |
| 274 | 274 | |
| 275 |
const size_t maxNumber = UINT_MAX / sizeof(int); |
|
| 276 |
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
|
|
| 277 |
width = height = stride = format = usage = 0; |
|
| 278 |
handle = NULL; |
|
| 279 |
ALOGE("unflatten: numFds or numInts is too large: %d, %d",
|
|
| 280 |
numFds, numInts); |
|
| 281 |
return BAD_VALUE; |
|
| 282 |
} |
|
| 283 | ||
| 284 | ||
| 275 | 285 |
const size_t sizeNeeded = (8 + numInts) * sizeof(int); |
| 276 | 286 |
if (size < sizeNeeded) return NO_MEMORY; |
| 277 | 287 | |
| 278 |
size_t fdCountNeeded = 0;
|
|
| 288 |
size_t fdCountNeeded = numFds;
|
|
| 279 | 289 |
if (count < fdCountNeeded) return NO_MEMORY; |
| 280 | 290 | |
| 281 | 291 |
if (handle) {
|
| ... | ... | |
| 290 | 300 |
format = buf[4]; |
| 291 | 301 |
usage = buf[5]; |
| 292 | 302 |
native_handle* h = native_handle_create(numFds, numInts); |
| 303 |
if (!h) {
|
|
| 304 |
width = height = stride = format = usage = 0; |
|
| 305 |
handle = NULL; |
|
| 306 |
ALOGE("unflatten: native_handle_create failed");
|
|
| 307 |
return NO_MEMORY; |
|
| 308 |
} |
|
| 293 | 309 |
memcpy(h->data, fds, numFds*sizeof(int)); |
| 294 | 310 |
memcpy(h->data + numFds, &buf[8], numInts*sizeof(int)); |
| 295 | 311 |
handle = h; |