Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26645298 authored by Michael Lentine's avatar Michael Lentine Committed by Android (Google) Code Review
Browse files

Merge "Fix for corruption when numFds or numInts is too large." into lmp-mr1-dev

parents 9cea6ccb dfd06b89

libs/ui/GraphicBuffer.cpp

+16 −1
Original line number Diff line number Diff line
@@ -310,10 +310,19 @@ status_t GraphicBuffer::unflatten( 
    const size_t numFds  = buf[8];

    const size_t numInts = buf[9];



    const size_t maxNumber = UINT_MAX / sizeof(int);

    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {

        width = height = stride = format = usage = 0;

        handle = NULL;

        ALOGE("unflatten: numFds or numInts is too large: %d, %d",

                numFds, numInts);

        return BAD_VALUE;

    }



    const size_t sizeNeeded = (10 + numInts) * sizeof(int);

    if (size < sizeNeeded) return NO_MEMORY;



    size_t fdCountNeeded = 0;

    size_t fdCountNeeded = numFds;

    if (count < fdCountNeeded) return NO_MEMORY;



    if (handle) {
@@ -328,6 +337,12 @@ status_t GraphicBuffer::unflatten( 
        format = buf[4];

        usage  = buf[5];

        native_handle* h = native_handle_create(numFds, numInts);

        if (!h) {

            width = height = stride = format = usage = 0;

            handle = NULL;

            ALOGE("unflatten: native_handle_create failed");

            return NO_MEMORY;

        }

        memcpy(h->data,          fds,     numFds*sizeof(int));

        memcpy(h->data + numFds, &buf[10], numInts*sizeof(int));

        handle = h;