mtp: avoid silent allocation overflow in MtpProperty Bug: 13006907 Change-Id: Ice0352394840132c9c2ce6c28366632c792a32c0

commit: eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda [log] [tgz]
author: Lajos Molnar <lajos@google.com> Mon Mar 24 16:18:36 2014 -0700
committer: Lajos Molnar <lajos@google.com> Mon Mar 24 19:18:31 2014 -0700
tree: 18f2e7cd60173d83caf6bfa8158cdc7ba71bbc12
parent: 55d15957bc44d11052e1cb3eea3340ec00f70bae [diff] [blame]
diff --git a/media/mtp/MtpProperty.cpp b/media/mtp/MtpProperty.cpp
index 3838ce8..c500901 100644
--- a/media/mtp/MtpProperty.cpp
+++ b/media/mtp/MtpProperty.cpp

@@ -17,6 +17,7 @@
 #define LOG_TAG "MtpProperty"
 
 #include <inttypes.h>
+#include <cutils/compiler.h>
 #include "MtpDataPacket.h"
 #include "MtpDebug.h"
 #include "MtpProperty.h"
@@ -518,8 +519,14 @@
 
 MtpPropertyValue* MtpProperty::readArrayValues(MtpDataPacket& packet, int& length) {
     length = packet.getUInt32();
-    if (length == 0)
+    // Fail if resulting array is over 2GB.  This is because the maximum array
+    // size may be less than SIZE_MAX on some platforms.
+    if ( CC_UNLIKELY(
+            length == 0 ||
+            length >= INT32_MAX / sizeof(MtpPropertyValue)) ) {
+        length = 0;
         return NULL;
+    }
     MtpPropertyValue* result = new MtpPropertyValue[length];
     for (int i = 0; i < length; i++)
         readValue(packet, result[i]);
commit	eb5d7f2f1cc049ea7f95a4f089ce2113d7683dda	[log] [tgz]
author	Lajos Molnar <lajos@google.com>	Mon Mar 24 16:18:36 2014 -0700
committer	Lajos Molnar <lajos@google.com>	Mon Mar 24 19:18:31 2014 -0700
tree	18f2e7cd60173d83caf6bfa8158cdc7ba71bbc12
parent	55d15957bc44d11052e1cb3eea3340ec00f70bae [diff] [blame]