diff options
| author | 2016-07-13 14:11:57 -0700 | |
|---|---|---|
| committer | 2016-07-14 14:05:19 +0000 | |
| commit | 1a65fccc500c9d75adabbc06cd7d26ec01c3f333 (patch) | |
| tree | 1260e123b2a047b9e5b6a1ff915e7f395e236266 | |
| parent | a1952f0a6ddab4c4e950ee9d924735ea5c96743f (diff) | |
Region: Detect malicious overflow in unflatten
Bug 29983260
Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
| -rw-r--r-- | libs/ui/Region.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index 3810da4049..cfed7a984c 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) { return NO_MEMORY; } + if (numRects > (UINT32_MAX / sizeof(Rect))) { + android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0); + return NO_MEMORY; + } + Region result; result.mStorage.clear(); for (size_t r = 0; r < numRects; ++r) { |