Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33a5e131 authored by Michael Lentine's avatar Michael Lentine Committed by Michael Bestas
Browse files

Fix for corruption when numFds or numInts is too large. 

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
parent 61998d4b

libs/ui/GraphicBuffer.cpp

+16 −1
Original line number Diff line number Diff line
@@ -280,10 +280,19 @@ status_t GraphicBuffer::unflatten( 
    const size_t numFds  = buf[6];

    const size_t numInts = buf[7];



    const size_t maxNumber = UINT_MAX / sizeof(int);

    if (numFds >= maxNumber || numInts >= (maxNumber - 8)) {

        width = height = stride = format = usage = 0;

        handle = NULL;

        ALOGE("unflatten: numFds or numInts is too large: %d, %d",

                numFds, numInts);

        return BAD_VALUE;

    }



    const size_t sizeNeeded = (8 + numInts) * sizeof(int);

    if (size < sizeNeeded) return NO_MEMORY;



    size_t fdCountNeeded = 0;

    size_t fdCountNeeded = numFds;

    if (count < fdCountNeeded) return NO_MEMORY;



    if (handle) {
@@ -298,6 +307,12 @@ status_t GraphicBuffer::unflatten( 
        format = buf[4];

        usage  = buf[5];

        native_handle* h = native_handle_create(numFds, numInts);

        if (!h) {

            width = height = stride = format = usage = 0;

            handle = NULL;

            ALOGE("unflatten: native_handle_create failed");

            return NO_MEMORY;

        }

        memcpy(h->data,          fds,     numFds*sizeof(int));

        memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));

        handle = h;