Prevent integer overflow when allocating native_handle_t

User specified values of numInts and numFds can overflow
and cause malloc to allocate less than we expect, causing
heap corruption in subsequent operations on the allocation.

Bug: 19334482
Change-Id: I43c75f536ea4c08f14ca12ca6288660fd2d1ec55
This commit is contained in:
Adam Lesinski 2015-04-27 12:13:33 -07:00
parent efbf36f2da
commit 9bd7afc0a1

View file

@ -25,14 +25,22 @@
#include <cutils/log.h>
#include <cutils/native_handle.h>
static const int kMaxNativeFds = 1024;
static const int kMaxNativeInts = 1024;
native_handle_t* native_handle_create(int numFds, int numInts)
{
native_handle_t* h = malloc(
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts));
if (numFds < 0 || numInts < 0 || numFds > kMaxNativeFds || numInts > kMaxNativeInts) {
return NULL;
}
h->version = sizeof(native_handle_t);
h->numFds = numFds;
h->numInts = numInts;
size_t mallocSize = sizeof(native_handle_t) + (sizeof(int) * (numFds + numInts));
native_handle_t* h = malloc(mallocSize);
if (h) {
h->version = sizeof(native_handle_t);
h->numFds = numFds;
h->numInts = numInts;
}
return h;
}