Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb5d7f2f authored by Lajos Molnar's avatar Lajos Molnar
Browse files

mtp: avoid silent allocation overflow in MtpProperty 

Bug: 13006907
Change-Id: Ice0352394840132c9c2ce6c28366632c792a32c0
parent 55d15957

media/mtp/MtpProperty.cpp

+8 −1
Original line number Original line Diff line number Diff line
@@ -17,6 +17,7 @@ 
#define LOG_TAG "MtpProperty"

#define LOG_TAG "MtpProperty"





#include <inttypes.h>

#include <inttypes.h>

#include <cutils/compiler.h>

#include "MtpDataPacket.h"

#include "MtpDataPacket.h"

#include "MtpDebug.h"

#include "MtpDebug.h"

#include "MtpProperty.h"

#include "MtpProperty.h"
@@ -518,8 +519,14 @@ void MtpProperty::writeValue(MtpDataPacket& packet, MtpPropertyValue& value) { 




MtpPropertyValue* MtpProperty::readArrayValues(MtpDataPacket& packet, int& length) {

MtpPropertyValue* MtpProperty::readArrayValues(MtpDataPacket& packet, int& length) {

    length = packet.getUInt32();

    length = packet.getUInt32();

    if (length == 0)

    // Fail if resulting array is over 2GB.  This is because the maximum array

    // size may be less than SIZE_MAX on some platforms.

    if ( CC_UNLIKELY(

            length == 0 ||

            length >= INT32_MAX / sizeof(MtpPropertyValue)) ) {

        length = 0;

        return NULL;

        return NULL;

    }

    MtpPropertyValue* result = new MtpPropertyValue[length];

    MtpPropertyValue* result = new MtpPropertyValue[length];

    for (int i = 0; i < length; i++)

    for (int i = 0; i < length; i++)

        readValue(packet, result[i]);

        readValue(packet, result[i]);