From: Pablo Ceballos Date: Wed, 13 Jul 2016 21:11:57 +0000 (-0700) Subject: Region: Detect malicious overflow in unflatten X-Git-Tag: android-x86-7.1-r1~145^2^2^2^2^2 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=1a65fccc500c9d75adabbc06cd7d26ec01c3f333;p=android-x86%2Fframeworks-native.git Region: Detect malicious overflow in unflatten Bug 29983260 Change-Id: Ib6e1cb8ae279010c5e9960aaa03513f55b7d873b --- diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp index 3810da4049..cfed7a984c 100644 --- a/libs/ui/Region.cpp +++ b/libs/ui/Region.cpp @@ -795,6 +795,11 @@ status_t Region::unflatten(void const* buffer, size_t size) { return NO_MEMORY; } + if (numRects > (UINT32_MAX / sizeof(Rect))) { + android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0); + return NO_MEMORY; + } + Region result; result.mStorage.clear(); for (size_t r = 0; r < numRects; ++r) {