Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2824e04 authored by Dan Albert's avatar Dan Albert Committed by Gerrit Code Review
Browse files

Merge "Fix for corruption when numFds or numInts is too large."

parents f8954c81 38803268

libs/ui/GraphicBuffer.cpp

+16 −1
Original line number Diff line number Diff line
@@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten( 
    const size_t numFds  = buf[8];

    const size_t numInts = buf[9];



    const size_t maxNumber = UINT_MAX / sizeof(int);

    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {

        width = height = stride = format = usage = 0;

        handle = NULL;

        ALOGE("unflatten: numFds or numInts is too large: %d, %d",

                numFds, numInts);

        return BAD_VALUE;

    }



    const size_t sizeNeeded = (10 + numInts) * sizeof(int);

    if (size < sizeNeeded) return NO_MEMORY;



    size_t fdCountNeeded = 0;

    size_t fdCountNeeded = numFds;

    if (count < fdCountNeeded) return NO_MEMORY;



    if (handle) {
@@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten( 
        format = buf[4];

        usage  = buf[5];

        native_handle* h = native_handle_create(numFds, numInts);

        if (!h) {

            width = height = stride = format = usage = 0;

            handle = NULL;

            ALOGE("unflatten: native_handle_create failed");

            return NO_MEMORY;

        }

        memcpy(h->data,          fds,     numFds*sizeof(int));

        memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));

        handle = h;