Region: Detect malicious overflow in unflatten am: 1a65fccc50 am: fd579a51b5 am: 0e85f4d48d am: 0ec362e024 am: b82c6f52c0 Change-Id: Iae280f2d174a8144e7c9fa657cd346597658927c

commit: e31fd642a4bb5a32e7d9e4f77e3163f8dfe935bc [log] [tgz]
author: Pablo Ceballos <pceballos@google.com> Mon Jul 18 22:35:19 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Mon Jul 18 22:35:19 2016 +0000
tree: 4cf3b145cf6f4961d96c12b93fea106b85031cfb
parent: 316c5165bc9a2a58789e386c99e470793d6c4299 [diff]
parent: b82c6f52c0b2464f3d44a5c4cc904ae19648b59d [diff]
diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp
index 246346b..fb2b857 100644
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp

@@ -796,6 +796,11 @@
         return NO_MEMORY;
     }
 
+    if (numRects > (UINT32_MAX / sizeof(Rect))) {
+        android_errorWriteWithInfoLog(0x534e4554, "29983260", -1, NULL, 0);
+        return NO_MEMORY;
+    }
+
     Region result;
     result.mStorage.clear();
     for (size_t r = 0; r < numRects; ++r) {
commit	e31fd642a4bb5a32e7d9e4f77e3163f8dfe935bc	[log] [tgz]
author	Pablo Ceballos <pceballos@google.com>	Mon Jul 18 22:35:19 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Mon Jul 18 22:35:19 2016 +0000
tree	4cf3b145cf6f4961d96c12b93fea106b85031cfb
parent	316c5165bc9a2a58789e386c99e470793d6c4299 [diff]
parent	b82c6f52c0b2464f3d44a5c4cc904ae19648b59d [diff]