am 26645298: Merge "Fix for corruption when numFds or numInts is too large." into lmp-mr1-dev (a2f27a0d) · Commits · e / os / android_frameworks_native

libs/ui/GraphicBuffer.cpp

+16 −1

Original line number	Original line	Diff line number	Diff line
	@@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten(
	const size_t numFds = buf[8];		const size_t numFds = buf[8];
	const size_t numInts = buf[9];		const size_t numInts = buf[9];

			const size_t maxNumber = UINT_MAX / sizeof(int);
			if (numFds >= maxNumber \|\| numInts >= (maxNumber - 10)) {
			width = height = stride = format = usage = 0;
			handle = NULL;
			ALOGE("unflatten: numFds or numInts is too large: %d, %d",
			numFds, numInts);
			return BAD_VALUE;
			}

	const size_t sizeNeeded = (10 + numInts) * sizeof(int);		const size_t sizeNeeded = (10 + numInts) * sizeof(int);
	if (size < sizeNeeded) return NO_MEMORY;		if (size < sizeNeeded) return NO_MEMORY;

	size_t fdCountNeeded = 0;		size_t fdCountNeeded = numFds;
	if (count < fdCountNeeded) return NO_MEMORY;		if (count < fdCountNeeded) return NO_MEMORY;

	if (handle) {		if (handle) {
	@@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten(
	format = buf[4];		format = buf[4];
	usage = buf[5];		usage = buf[5];
	native_handle* h = native_handle_create(numFds, numInts);		native_handle* h = native_handle_create(numFds, numInts);
			if (!h) {
			width = height = stride = format = usage = 0;
			handle = NULL;
			ALOGE("unflatten: native_handle_create failed");
			return NO_MEMORY;
			}
	memcpy(h->data, fds, numFds*sizeof(int));		memcpy(h->data, fds, numFds*sizeof(int));
	memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));		memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));
	handle = h;		handle = h;