Issue #1251 ยป CVE-2015-1474.patch
libs/ui/GraphicBuffer.cpp | ||
---|---|---|
272 | 272 |
const size_t numFds = buf[6]; |
273 | 273 |
const size_t numInts = buf[7]; |
274 | 274 | |
275 |
const size_t maxNumber = UINT_MAX / sizeof(int); |
|
276 |
if (numFds >= maxNumber || numInts >= (maxNumber - 10)) { |
|
277 |
width = height = stride = format = usage = 0; |
|
278 |
handle = NULL; |
|
279 |
ALOGE("unflatten: numFds or numInts is too large: %d, %d", |
|
280 |
numFds, numInts); |
|
281 |
return BAD_VALUE; |
|
282 |
} |
|
283 | ||
284 | ||
275 | 285 |
const size_t sizeNeeded = (8 + numInts) * sizeof(int); |
276 | 286 |
if (size < sizeNeeded) return NO_MEMORY; |
277 | 287 | |
278 |
size_t fdCountNeeded = 0;
|
|
288 |
size_t fdCountNeeded = numFds;
|
|
279 | 289 |
if (count < fdCountNeeded) return NO_MEMORY; |
280 | 290 | |
281 | 291 |
if (handle) { |
... | ... | |
290 | 300 |
format = buf[4]; |
291 | 301 |
usage = buf[5]; |
292 | 302 |
native_handle* h = native_handle_create(numFds, numInts); |
303 |
if (!h) { |
|
304 |
width = height = stride = format = usage = 0; |
|
305 |
handle = NULL; |
|
306 |
ALOGE("unflatten: native_handle_create failed"); |
|
307 |
return NO_MEMORY; |
|
308 |
} |
|
293 | 309 |
memcpy(h->data, fds, numFds*sizeof(int)); |
294 | 310 |
memcpy(h->data + numFds, &buf[8], numInts*sizeof(int)); |
295 | 311 |
handle = h; |