Project

General

Profile

Issue #1251 ยป CVE-2015-1474.patch

My Self, 08/26/2015 11:34 AM

View differences:

libs/ui/GraphicBuffer.cpp
272 272
    const size_t numFds  = buf[6];
273 273
    const size_t numInts = buf[7];
274 274

  
275
    const size_t maxNumber = UINT_MAX / sizeof(int);
276
    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
277
        width = height = stride = format = usage = 0;
278
        handle = NULL;
279
        ALOGE("unflatten: numFds or numInts is too large: %d, %d",
280
                numFds, numInts);
281
        return BAD_VALUE;
282
    }
283

  
284

  
275 285
    const size_t sizeNeeded = (8 + numInts) * sizeof(int);
276 286
    if (size < sizeNeeded) return NO_MEMORY;
277 287

  
278
    size_t fdCountNeeded = 0;
288
    size_t fdCountNeeded = numFds;
279 289
    if (count < fdCountNeeded) return NO_MEMORY;
280 290

  
281 291
    if (handle) {
......
290 300
        format = buf[4];
291 301
        usage  = buf[5];
292 302
        native_handle* h = native_handle_create(numFds, numInts);
303
        if (!h) {
304
            width = height = stride = format = usage = 0;
305
            handle = NULL;
306
            ALOGE("unflatten: native_handle_create failed");
307
            return NO_MEMORY;
308
        }
293 309
        memcpy(h->data,          fds,     numFds*sizeof(int));
294 310
        memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
295 311
        handle = h;
296
- 
    (1-1/1)