From f646417e25194d7d1bbea7e12f35c5132d3c712f Mon Sep 17 00:00:00 2001 From: Michael Lentine Date: Fri, 31 Oct 2014 15:25:03 -0700 Subject: [PATCH] Fix for corruption when numFds or numInts is too large. Bug: 18076253 Change-Id: I4c5935440013fc755e1d123049290383f4659fb6 (cherry picked from commit dfd06b89a4b77fc75eb85a3c1c700da3621c0118) Signed-off-by: Michael Lentine Tested-by: Moritz Bandemer --- libs/ui/GraphicBuffer.cpp | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp index 219375e..4069fbc 100644 --- a/libs/ui/GraphicBuffer.cpp +++ b/libs/ui/GraphicBuffer.cpp @@ -272,10 +272,20 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size, const size_t numFds = buf[6]; const size_t numInts = buf[7]; + const size_t maxNumber = UINT_MAX / sizeof(int); + if (numFds >= maxNumber || numInts >= (maxNumber - 10)) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: numFds or numInts is too large: %d, %d", + numFds, numInts); + return BAD_VALUE; + } + + const size_t sizeNeeded = (8 + numInts) * sizeof(int); if (size < sizeNeeded) return NO_MEMORY; - size_t fdCountNeeded = 0; + size_t fdCountNeeded = numFds; if (count < fdCountNeeded) return NO_MEMORY; if (handle) { @@ -290,6 +300,12 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size, format = buf[4]; usage = buf[5]; native_handle* h = native_handle_create(numFds, numInts); + if (!h) { + width = height = stride = format = usage = 0; + handle = NULL; + ALOGE("unflatten: native_handle_create failed"); + return NO_MEMORY; + } memcpy(h->data, fds, numFds*sizeof(int)); memcpy(h->data + numFds, &buf[8], numInts*sizeof(int)); handle = h; -- 1.9.1