diff options
author | Chris Forbes <chrisforbes@google.com> | 2017-05-10 13:12:00 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-07-06 21:37:51 +0200 |
commit | a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59 (patch) | |
tree | 559b854761cc831ce35afb0d5a0c84571439d625 | |
parent | c5fe5044f44d0bcbba3ea56cc4d17e80e4b74ef9 (diff) | |
download | frameworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.tar.gz frameworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.tar.bz2 frameworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.zip |
ui: Fix bad size check in Fence::unflatten
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc.
Test: Boot device, run poc from bug, observe no longer crashes
Bug: 37285689
AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad
(cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38)
CVE-2017-0666
Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
-rw-r--r-- | libs/ui/Fence.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp index bf24ffb7e..1b2f34dfa 100644 --- a/libs/ui/Fence.cpp +++ b/libs/ui/Fence.cpp @@ -157,7 +157,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si return INVALID_OPERATION; } - if (size < 1) { + if (size < getFlattenedSize()) { return NO_MEMORY; } |