commit | bdb01d03fe9d709991962ded721cf8d4d0701cdd | [log] [tgz] |
---|---|---|
author | Casey Dahlin <sadmac@google.com> | Wed Oct 26 17:18:25 2016 -0700 |
committer | gitbuildkicker <android-build@google.com> | Wed Nov 30 12:12:38 2016 -0800 |
tree | 44167cd6e9364f9b83e7c625ecdc2200d745352f | |
parent | f8a5f64acdf12957cdf7b906807a6584c6420bfc [diff] |
Fix integer overflow in unsafeReadTypedVector Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)