From 3082fe440f90b7a3e6e031b6641f4a71b907dd4f Mon Sep 17 00:00:00 2001
From: Derek Sollenberger <djsollen@google.com>
Date: Wed, 13 May 2015 15:45:04 -0400
Subject: [PATCH] Ensure that unparcelling Region only reads the expected
 number of bytes

bug: 20883006
Change-Id: I4f109667fb210a80fbddddf5f1bfb7ef3a02b6ce
---
 core/jni/android/graphics/Region.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/jni/android/graphics/Region.cpp b/core/jni/android/graphics/Region.cpp
index 90a020eb5828..cf02e394280c 100644
--- a/core/jni/android/graphics/Region.cpp
+++ b/core/jni/android/graphics/Region.cpp
@@ -206,15 +206,20 @@ static jstring Region_toString(JNIEnv* env, jobject clazz, jlong regionHandle) {
 
 static jlong Region_createFromParcel(JNIEnv* env, jobject clazz, jobject parcel)
 {
-    if (parcel == NULL) {
-        return NULL;
+    if (parcel == nullptr) {
+        return 0;
     }
 
     android::Parcel* p = android::parcelForJavaObject(env, parcel);
 
     SkRegion* region = new SkRegion;
     size_t size = p->readInt32();
-    region->readFromMemory(p->readInplace(size), size);
+    size_t actualSize = region->readFromMemory(p->readInplace(size), size);
+
+    if (size != actualSize) {
+        delete region;
+        return 0;
+    }
 
     return reinterpret_cast<jlong>(region);
 }
-- 
2.11.0