diff options
author | Tom Taylor <tomtaylor@google.com> | 2017-01-04 09:42:37 -0800 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-03-22 12:50:19 -0600 |
commit | 62371f2e4bfe3d54f2b79fe55bbb423642a235d2 (patch) | |
tree | 9f0388cb0ac27e56979c246fcfaf2a5258434a50 | |
parent | 04b3ef8ed45bf90c7da89935209f0f4375137197 (diff) | |
download | android_packages_apps_Messaging-62371f2e4bfe3d54f2b79fe55bbb423642a235d2.tar.gz android_packages_apps_Messaging-62371f2e4bfe3d54f2b79fe55bbb423642a235d2.tar.bz2 android_packages_apps_Messaging-62371f2e4bfe3d54f2b79fe55bbb423642a235d2.zip |
33388925 Mismatched new vs delete in framesequence library
* The array allocations neglected to include [] so delete, instead
of delete [] would get called.
* Test
Manual
- tested sending a large gif that would invoke the GifTranscoder library
to make the gif smaller.
Bug: 33388925
CVE-2017-0476
Change-Id: I1e200e470d66ae615ffe9340ff9c049eaa73f63c
(cherry picked from commit 837474a376a4599d57f791966080f93ca7afaf67)
(cherry picked from commit 8ba22b48ebff50311d7eaa8d512f9d507f0bdd0d)
-rw-r--r-- | jni/GifTranscoder.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp index 0d50770..81f3f75 100644 --- a/jni/GifTranscoder.cpp +++ b/jni/GifTranscoder.cpp @@ -144,10 +144,10 @@ bool GifTranscoder::resizeBoxFilter(GifFileType* gifIn, GifFileType* gifOut) { std::vector<GifByteType> srcBuffer(gifIn->SWidth * gifIn->SHeight); // Buffer for rendering images from the input GIF. - std::unique_ptr<ColorARGB> renderBuffer(new ColorARGB[gifIn->SWidth * gifIn->SHeight]); + std::unique_ptr<ColorARGB[]> renderBuffer(new ColorARGB[gifIn->SWidth * gifIn->SHeight]); // Buffer for writing new images to output GIF (one row at a time). - std::unique_ptr<GifByteType> dstRowBuffer(new GifByteType[gifOut->SWidth]); + std::unique_ptr<GifByteType[]> dstRowBuffer(new GifByteType[gifOut->SWidth]); // Many GIFs use DISPOSE_DO_NOT to make images draw on top of previous images. They can also // use DISPOSE_BACKGROUND to clear the last image region before drawing the next one. We need |