git.osdn.net Git - android-x86/frameworks-native.git/commit

(root) / android-x86 / frameworks-native.git / commit

author	Casey Dahlin <sadmac@google.com>
	Thu, 27 Oct 2016 00:18:25 +0000 (17:18 -0700)
committer	Casey Dahlin <sadmac@google.com>
	Thu, 27 Oct 2016 00:18:25 +0000 (17:18 -0700)
commit	65a8f07e57a492289798ca709a311650b5bd5af1
tree	d6d7cbaa1f769f8f1cb5d0158c8ae5498a00a607	tree \| snapshot
parent	8211047138ea7892c73f4e6f6291a85a11759e0c	commit \| diff

Fix integer overflow in unsafeReadTypedVector

Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.

Test: Verified reproducer attached to bug no longer crashes Camera
service.
Bug: 31677614

Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7

include/binder/Parcel.h

diff | blob | history

frameworks/native

RSS Atom

About OSDN

Find Software

Develop Software

Help