Prevent integer overflow when allocating native_handle_t User specified values of numInts and numFds can overflow and cause malloc to allocate less than we expect, causing heap corruption in subsequent operations on the allocation. Bug: 19334482 Change-Id: I43c75f536ea4c08f14ca12ca6288660fd2d1ec55

commit: db9755285b074d5bce3b940bf477e91c17fd0873 [log] [tgz]
author: Adam Lesinski <adamlesinski@google.com> Mon Apr 27 12:13:33 2015 -0700
committer: The Android Automerger <android-build@android.com> Fri Aug 14 12:05:52 2015 -0700
tree: d9f0dd6e806932662c1a158f10a1363ec569ea60
parent: 5b3aa21bc70d42b3fcb1764a1be04ab8db5ebfb9 [diff]
diff --git a/libcutils/native_handle.c b/libcutils/native_handle.c
index 9a4a5bb..61fa38e 100644
--- a/libcutils/native_handle.c
+++ b/libcutils/native_handle.c

@@ -25,11 +25,17 @@
 #include <cutils/log.h>
 #include <cutils/native_handle.h>
 
+static const int kMaxNativeFds = 1024;
+static const int kMaxNativeInts = 1024;
+
 native_handle_t* native_handle_create(int numFds, int numInts)
 {
-    native_handle_t* h = malloc(
-            sizeof(native_handle_t) + sizeof(int)*(numFds+numInts));
+    if (numFds < 0 || numInts < 0 || numFds > kMaxNativeFds || numInts > kMaxNativeInts) {
+        return NULL;
+    }
 
+    size_t mallocSize = sizeof(native_handle_t) + (sizeof(int) * (numFds + numInts));
+    native_handle_t* h = malloc(mallocSize);
     if (h) {
         h->version = sizeof(native_handle_t);
         h->numFds = numFds;
commit	db9755285b074d5bce3b940bf477e91c17fd0873	[log] [tgz]
author	Adam Lesinski <adamlesinski@google.com>	Mon Apr 27 12:13:33 2015 -0700
committer	The Android Automerger <android-build@android.com>	Fri Aug 14 12:05:52 2015 -0700
tree	d9f0dd6e806932662c1a158f10a1363ec569ea60
parent	5b3aa21bc70d42b3fcb1764a1be04ab8db5ebfb9 [diff]