Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ff0cb44 authored by Adam Lesinski's avatar Adam Lesinski Committed by Zach Riggle
Browse files

Verify that the native handle was created 

The inputs to native_handle_create can cause an overflowed allocation,
so check the return value of native_handle_create before accessing
the memory it returns.

Bug:19334482
Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2
(cherry picked from commit eaac99a7)
parent da9fd70d

libs/binder/Parcel.cpp

+4 −0
Original line number Original line Diff line number Diff line
@@ -1144,6 +1144,10 @@ native_handle* Parcel::readNativeHandle() const 
    if (err != NO_ERROR) return 0;

    if (err != NO_ERROR) return 0;





    native_handle* h = native_handle_create(numFds, numInts);

    native_handle* h = native_handle_create(numFds, numInts);

    if (!h) {

        return 0;

    }



    for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {

    for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {

        h->data[i] = dup(readFileDescriptor());

        h->data[i] = dup(readFileDescriptor());

        if (h->data[i] < 0) err = BAD_VALUE;

        if (h->data[i] < 0) err = BAD_VALUE;