diff options
author | Shawn Willden <swillden@google.com> | 2015-06-25 06:52:45 -0700 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2015-06-25 11:32:06 -0700 |
commit | 5cc765aa8a87a5f96cdb4be9b67e20174d866ec4 (patch) | |
tree | 266dfd832cd7c873740d75404ed440f8463395aa /include | |
parent | 73e71591b28ac4615d03ca08ecab7f6358751bf4 (diff) | |
download | android_system_keymaster-5cc765aa8a87a5f96cdb4be9b67e20174d866ec4.tar.gz android_system_keymaster-5cc765aa8a87a5f96cdb4be9b67e20174d866ec4.tar.bz2 android_system_keymaster-5cc765aa8a87a5f96cdb4be9b67e20174d866ec4.zip |
Add a missing bounds check.
Bug: 21888473
Change-Id: Iafd7e6dbb3d7a36ad9dbad279e501fdfb26f812a
Diffstat (limited to 'include')
-rw-r--r-- | include/keymaster/serializable.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/keymaster/serializable.h b/include/keymaster/serializable.h index a7cce83..6dd31b2 100644 --- a/include/keymaster/serializable.h +++ b/include/keymaster/serializable.h @@ -173,7 +173,7 @@ inline bool copy_uint32_array_from_buf(const uint8_t** buf_ptr, const uint8_t* e return false; const uint8_t* array_end = *buf_ptr + *count * sizeof(uint32_t); - if (array_end < *buf_ptr || array_end > end) + if (*count >= UINT32_MAX / sizeof(uint32_t) || array_end < *buf_ptr || array_end > end) return false; data->reset(new (std::nothrow) T[*count]); |