Region: Detect malicious overflow in unflatten

Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
author: Pablo Ceballos <pceballos@google.com> 2016-07-13 14:11:57 -0700
committer: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 2020-01-02 15:47:20 +0100
commit: 6b96ced9dfd0d771ea9df984fa3e76680ee3be5a (patch)
tree: 85e64a4dcb6fa6d8567f3a7e36853721259f5881
parent: 14204cab2e484ae32445462fce8ca7c67ee1f35d (diff)
download: frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.gz
frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.bz2
frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp
index cfed7a984..04ed88a47 100644
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@@ -800,6 +800,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
         return NO_MEMORY;
     }
 
+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
     Region result;
     result.mStorage.clear();
     for (size_t r = 0; r < numRects; ++r) {
author	Pablo Ceballos <pceballos@google.com>	2016-07-13 14:11:57 -0700
committer	Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>	2020-01-02 15:47:20 +0100
commit	6b96ced9dfd0d771ea9df984fa3e76680ee3be5a (patch)
tree	85e64a4dcb6fa6d8567f3a7e36853721259f5881
parent	14204cab2e484ae32445462fce8ca7c67ee1f35d (diff)
download	frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.gz frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.tar.bz2 frameworks_native-6b96ced9dfd0d771ea9df984fa3e76680ee3be5a.zip