am 592cc33c: am e86f7e96: am 3c0272ba: am dc2d031a: am da9fd70d: am 2758eb2e: am...

author Michael Lentine <mlentine@google.com>

Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)

committer Android Git Automerger <android-git-automerger@android.com>

Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)
author Michael Lentine <mlentine@google.com>
Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)
committer Android Git Automerger <android-git-automerger@android.com>
Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)
diff --cc libs/ui/GraphicBuffer.cpp

index 425df38,3ae8840..638ac62
--- 1/libs/ui/GraphicBuffer.cpp
--- 2/libs/ui/GraphicBuffer.cpp
+++ b/libs/ui/GraphicBuffer.cpp
@@@ -320,10 -307,14 +320,14 @@@ status_t GraphicBuffer::unflatten
       int const* buf = static_cast<int const*>(buffer);
       if (buf[0] != 'GBFR') return BAD_TYPE;
   
- -    const size_t numFds  = buf[8];
- -    const size_t numInts = buf[9];
+ +    const size_t numFds  = static_cast<size_t>(buf[8]);
+ +    const size_t numInts = static_cast<size_t>(buf[9]);
   
-     const size_t maxNumber = UINT_MAX / sizeof(int);
+     // Limit the maxNumber to be relatively small. The number of fds or ints
+     // should not come close to this number, and the number itself was simply
+     // chosen to be high enough to not cause issues and low enough to prevent
+     // overflow problems.
+     const size_t maxNumber = 4096;
       if (numFds >= maxNumber || numInts >= (maxNumber - 10)) {
           width = height = stride = format = usage = 0;
           handle = NULL;
author	Michael Lentine <mlentine@google.com>
	Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)
committer	Android Git Automerger <android-git-automerger@android.com>
	Thu, 19 Feb 2015 01:06:53 +0000 (01:06 +0000)