Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3082fe44 authored by Derek Sollenberger's avatar Derek Sollenberger
Browse files

Ensure that unparcelling Region only reads the expected number of bytes 

bug: 20883006
Change-Id: I4f109667fb210a80fbddddf5f1bfb7ef3a02b6ce
parent 90c66e3d

core/jni/android/graphics/Region.cpp

+8 −3
Original line number Diff line number Diff line
@@ -206,15 +206,20 @@ static jstring Region_toString(JNIEnv* env, jobject clazz, jlong regionHandle) { 


static jlong Region_createFromParcel(JNIEnv* env, jobject clazz, jobject parcel)

{

    if (parcel == NULL) {

        return NULL;

    if (parcel == nullptr) {

        return 0;

    }



    android::Parcel* p = android::parcelForJavaObject(env, parcel);



    SkRegion* region = new SkRegion;

    size_t size = p->readInt32();

    region->readFromMemory(p->readInplace(size), size);

    size_t actualSize = region->readFromMemory(p->readInplace(size), size);



    if (size != actualSize) {

        delete region;

        return 0;

    }



    return reinterpret_cast<jlong>(region);

}