diff options
author | Pablo Ceballos <pceballos@google.com> | 2016-07-13 14:11:57 -0700 |
---|---|---|
committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2020-01-02 15:47:20 +0100 |
commit | 6b96ced9dfd0d771ea9df984fa3e76680ee3be5a (patch) | |
tree | 85e64a4dcb6fa6d8567f3a7e36853721259f5881 | |
parent | 14204cab2e484ae32445462fce8ca7c67ee1f35d (diff) | |
download | frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.gz frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.bz2 frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.zip |
Region: Detect malicious overflow in unflatten
Bug 29983260
Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
-rw-r--r-- | libs/ui/Region.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index cfed7a984..04ed88a47 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -800,6 +800,11 @@ status_t Region::unflatten(void const* buffer, size_t size) { return NO_MEMORY; } + if (numRects > (UINT32_MAX / sizeof(Rect))) { + android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0); + return NO_MEMORY; + } + Region result; result.mStorage.clear(); for (size_t r = 0; r < numRects; ++r) { |