Limit the number of keys read by KeyCharacterMaps.

Apps can send us a KCM containing a ridiculous key count, which will cause us to crash when an allocation fails. Limit the key count so this doesn't happen. Bug: 24876135 Change-Id: I2bb4a5acabfc9184a867a406eef756c28c28f0ad
author: Michael Wright <michaelwr@google.com> 2015-10-21 14:38:03 +0100
committer: Michael Wright <michaelwr@google.com> 2015-10-22 14:37:06 +0000
commit: 4c971c001f401d7742db326c8e5654693eb3687e (patch)
tree: fbe7fd128b4a7521bb328dfb2f708034d0a2d848 /libs/input/KeyCharacterMap.cpp
parent: 99497cd85b75667adc4b546f3570b91982959163 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libs/input/KeyCharacterMap.cpp b/libs/input/KeyCharacterMap.cpp
index dd01a934ba..fe649fb548 100644
--- a/libs/input/KeyCharacterMap.cpp
+++ b/libs/input/KeyCharacterMap.cpp
@@ -607,6 +607,10 @@ sp<KeyCharacterMap> KeyCharacterMap::readFromParcel(Parcel* parcel) {
     if (parcel->errorCheck()) {
         return NULL;
     }
+    if (numKeys > MAX_KEYS) {
+        ALOGE("Too many keys in KeyCharacterMap (%d > %d)", numKeys, MAX_KEYS);
+        return NULL;
+    }
 
     for (size_t i = 0; i < numKeys; i++) {
         int32_t keyCode = parcel->readInt32();
author	Michael Wright <michaelwr@google.com>	2015-10-21 14:38:03 +0100
committer	Michael Wright <michaelwr@google.com>	2015-10-22 14:37:06 +0000
commit	4c971c001f401d7742db326c8e5654693eb3687e (patch)
tree	fbe7fd128b4a7521bb328dfb2f708034d0a2d848 /libs/input/KeyCharacterMap.cpp
parent	99497cd85b75667adc4b546f3570b91982959163 (diff)