summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdam Lesinski <adamlesinski@google.com>2015-05-12 17:35:48 -0700
committerAbhisek Devkota <ciwrl@cyanogenmod.com>2015-08-12 14:20:45 -0700
commit76f9bfc5de9618df02d3094d6593dd8056f97ea6 (patch)
tree039487aa0a7fcfcfa2bf4e123d0de97cf0f870ed
parentda0467a64e247b4fc3c2584d1e65359e7d88a2e0 (diff)
downloadandroid_frameworks_native-stable/cm-11.0-XNG3C.tar.gz
android_frameworks_native-stable/cm-11.0-XNG3C.tar.bz2
android_frameworks_native-stable/cm-11.0-XNG3C.zip
Verify that the native handle was createdstable/cm-11.0-XNG3C
The inputs to native_handle_create can cause an overflowed allocation, so check the return value of native_handle_create before accessing the memory it returns. CYNGNOS-446 Bug:19334482 Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2 (cherry picked from commit eaac99a7172da52a76ba48c26413778a74951b1a) (cherry picked from commit c491676cc2775d978bc52e323d5a743b53bfe51d)
-rw-r--r--libs/binder/Parcel.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index db9e0a1e2..e5a287157 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1144,6 +1144,10 @@ native_handle* Parcel::readNativeHandle() const
if (err != NO_ERROR) return 0;
native_handle* h = native_handle_create(numFds, numInts);
+ if (!h) {
+ return 0;
+ }
+
for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
h->data[i] = dup(readFileDescriptor());
if (h->data[i] < 0) err = BAD_VALUE;