Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 38803268 authored by Michael Lentine's avatar Michael Lentine Committed by Dan Albert
Browse files

Fix for corruption when numFds or numInts is too large. 

Bug: 18076253
Change-Id: I4c5935440013fc755e1d123049290383f4659fb6
(cherry picked from commit dfd06b89)
parent f8954c81

libs/ui/GraphicBuffer.cpp

+16 −1
Original line number Diff line number Diff line
@@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten( 
    const size_t numFds  = buf[8];

    const size_t numInts = buf[9];



    const size_t maxNumber = UINT_MAX / sizeof(int);

    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {

        width = height = stride = format = usage = 0;

        handle = NULL;

        ALOGE("unflatten: numFds or numInts is too large: %d, %d",

                numFds, numInts);

        return BAD_VALUE;

    }



    const size_t sizeNeeded = (10 + numInts) * sizeof(int);

    if (size < sizeNeeded) return NO_MEMORY;



    size_t fdCountNeeded = 0;

    size_t fdCountNeeded = numFds;

    if (count < fdCountNeeded) return NO_MEMORY;



    if (handle) {
@@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten( 
        format = buf[4];

        usage  = buf[5];

        native_handle* h = native_handle_create(numFds, numInts);

        if (!h) {

            width = height = stride = format = usage = 0;

            handle = NULL;

            ALOGE("unflatten: native_handle_create failed");

            return NO_MEMORY;

        }

        memcpy(h->data,          fds,     numFds*sizeof(int));

        memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));

        handle = h;