Add isSafeArraySize for new array size checks

author Andy Hung <hunga@google.com>

Tue, 29 Jul 2014 19:14:00 +0000 (12:14 -0700)

committer Lajos Molnar <lajos@google.com>

Wed, 30 Jul 2014 00:57:50 +0000 (00:57 +0000)
author Andy Hung <hunga@google.com>
Tue, 29 Jul 2014 19:14:00 +0000 (12:14 -0700)
committer Lajos Molnar <lajos@google.com>
Wed, 30 Jul 2014 00:57:50 +0000 (00:57 +0000)
diff --git a/include/media/stagefright/foundation/ABase.h b/include/media/stagefright/foundation/ABase.h

index 9eceea3..949d49e 100644 (file)
--- a/include/media/stagefright/foundation/ABase.h
+++ b/include/media/stagefright/foundation/ABase.h
@@ -22,4 +22,31 @@
      name(const name &); \
      name &operator=(const name &)
  
+/* Returns true if the size parameter is safe for new array allocation (32-bit)
+ *
+ * Example usage:
+ *
+ * if (!isSafeArraySize<uint32_t>(arraySize)) {
+ *     return BAD_VALUE;
+ * }
+ * ...
+ * uint32_t *myArray = new uint32_t[arraySize];
+ *
+ * There is a bug in gcc versions earlier than 4.8 where the new[] array allocation
+ * will overflow in the internal 32 bit heap allocation, resulting in an
+ * underallocated array. This is a security issue that allows potential overwriting
+ * of other heap data.
+ *
+ * An alternative to checking is to create a safe new array template function which
+ * either throws a std::bad_alloc exception or returns NULL/nullptr_t; NULL considered
+ * safe since normal access of NULL throws an exception.
+ *
+ * https://securityblog.redhat.com/2012/10/31/array-allocation-in-cxx/
+ */
+template <typename T, typename S>
+bool isSafeArraySize(S size) {
+    return size >= 0                            // in case S is signed, ignored if not.
+            && size <= 0xffffffff / sizeof(T);  // max-unsigned-32-bit-int / element-size.
+}
+
  #endif  // A_BASE_H_
author	Andy Hung <hunga@google.com>
	Tue, 29 Jul 2014 19:14:00 +0000 (12:14 -0700)
committer	Lajos Molnar <lajos@google.com>
	Wed, 30 Jul 2014 00:57:50 +0000 (00:57 +0000)