Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eaac99a7 authored by Adam Lesinski's avatar Adam Lesinski
Browse files

Verify that the native handle was created 

The inputs to native_handle_create can cause an overflowed allocation,
so check the return value of native_handle_create before accessing
the memory it returns.

Bug:19334482
Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2
parent be451b57

libs/binder/Parcel.cpp

+4 −0
Original line number Diff line number Diff line
@@ -1347,6 +1347,10 @@ native_handle* Parcel::readNativeHandle() const 
    if (err != NO_ERROR) return 0;



    native_handle* h = native_handle_create(numFds, numInts);

    if (!h) {

        return 0;

    }



    for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {

        h->data[i] = dup(readFileDescriptor());

        if (h->data[i] < 0) err = BAD_VALUE;