am e6f7a44e: Fix for corruption when numFds or numInts is too large.

* commit 'e6f7a44e835d320593fa33052f35ea52948ff0b2':
  Fix for corruption when numFds or numInts is too large.

1 files changed, 16 insertions, 1 deletions

diff --git a/libs/ui/GraphicBuffer.cpp b/libs/ui/GraphicBuffer.cpp
index 580788d0e9..4dff5f16e8 100644
--- a/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@ -250,10 +250,19 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
     const size_t numFds  = buf[6];
     const size_t numInts = buf[7];
 
+    const size_t maxNumber = UINT_MAX / sizeof(int);
+    if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
+        width = height = stride = format = usage = 0;
+        handle = NULL;
+        ALOGE("unflatten: numFds or numInts is too large: %d, %d",
+                numFds, numInts);
+        return BAD_VALUE;
+    }
+
     const size_t sizeNeeded = (8 + numInts) * sizeof(int);
     if (size < sizeNeeded) return NO_MEMORY;
 
-    size_t fdCountNeeded = 0;
+    size_t fdCountNeeded = numFds;
     if (count < fdCountNeeded) return NO_MEMORY;
 
     if (handle) {
@@ -268,6 +277,12 @@ status_t GraphicBuffer::unflatten(void const* buffer, size_t size,
         format = buf[4];
         usage  = buf[5];
         native_handle* h = native_handle_create(numFds, numInts);
+        if (!h) {
+            width = height = stride = format = usage = 0;
+            handle = NULL;
+            ALOGE("unflatten: native_handle_create failed");
+            return NO_MEMORY;
+        }
         memcpy(h->data,          fds,     numFds*sizeof(int));
         memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
         handle = h;