Region: Detect malicious overflow in unflatten

Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b

Region: Detect malicious overflow in unflatten
Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b
07cd4cdf · Pablo Ceballos · gitbuildkicker · 54cb02ad · 07cd4cdf
Commit 07cd4cdf authored 8 years ago by Pablo Ceballos Committed by gitbuildkicker 8 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

libs/ui/Region.cpp libs/ui/Region.cpp +5 -0

No files found.
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) {
        return NO_MEMORY;
    }

+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
    Region result;
    result.mStorage.clear();
    for (size_t r = 0; r < numRects; ++r) {