summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Forbes <chrisforbes@google.com>2017-05-10 13:12:00 -0700
committerMSe <mse1969@posteo.de>2017-07-06 21:37:51 +0200
commita3a09ef6b40ffc44c6d17a2d8d798fbd19456c59 (patch)
tree559b854761cc831ce35afb0d5a0c84571439d625
parentc5fe5044f44d0bcbba3ea56cc4d17e80e4b74ef9 (diff)
downloadframeworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.tar.gz
frameworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.tar.bz2
frameworks_native-a3a09ef6b40ffc44c6d17a2d8d798fbd19456c59.zip
ui: Fix bad size check in Fence::unflatten
Differs slightly from mnc+ patch: GetFlattenedSize was fixed in mnc. Test: Boot device, run poc from bug, observe no longer crashes Bug: 37285689 AOSP-Change-Id: Id8b851733b088cce0d07493fbf76e7e24f9299ad (cherry picked from commit 9809602ac32dcb7bceaa5bc34df5b7fb68aacd38) CVE-2017-0666 Change-Id: I778c82b363ca0409d534f255cc5d17b39e751986
-rw-r--r--libs/ui/Fence.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/ui/Fence.cpp b/libs/ui/Fence.cpp
index bf24ffb7e..1b2f34dfa 100644
--- a/libs/ui/Fence.cpp
+++ b/libs/ui/Fence.cpp
@@ -157,7 +157,7 @@ status_t Fence::unflatten(void const*& buffer, size_t& size, int const*& fds, si
return INVALID_OPERATION;
}
- if (size < 1) {
+ if (size < getFlattenedSize()) {
return NO_MEMORY;
}