From c591f88faed84ac9d69507a35f5b1bfbfb8ab74a Mon Sep 17 00:00:00 2001 From: Keun Soo Yim Date: Sat, 7 Jan 2017 17:53:44 -0800 Subject: [PATCH] add checks to avoid potential buffer overflows and prevent exceptions number_platform_modes variable is from another module (e.g., eModule->get_number_of_platform_modes(mModule)) and thus can be a big number. If a big number is used as the size of new operation, it can cause an exception as is. Test: mma Change-Id: I6cf6027804be980ad39c80a1571b284efabce7e8 --- power/1.0/default/Power.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/power/1.0/default/Power.cpp b/power/1.0/default/Power.cpp index 29594eb22b..820c41039b 100644 --- a/power/1.0/default/Power.cpp +++ b/power/1.0/default/Power.cpp @@ -78,7 +78,9 @@ Return Power::getPlatformLowPowerStats(getPlatformLowPowerStats_cb _hidl_c number_platform_modes = mModule->get_number_of_platform_modes(mModule); if (number_platform_modes > 0) { - voters = new size_t [number_platform_modes]; + if (SIZE_MAX / sizeof(size_t) <= number_platform_modes) // overflow + goto done; + voters = new (std::nothrow) size_t [number_platform_modes]; if (voters == nullptr) goto done; @@ -86,7 +88,11 @@ Return Power::getPlatformLowPowerStats(getPlatformLowPowerStats_cb _hidl_c if (ret != 0) goto done; - legacy_states = new power_state_platform_sleep_state_t [number_platform_modes]; + if (SIZE_MAX / sizeof(power_state_platform_sleep_state_t) + <= number_platform_modes) // overflow + goto done; + legacy_states = new (std::nothrow) + power_state_platform_sleep_state_t [number_platform_modes]; if (legacy_states == nullptr) goto done;