summaryrefslogtreecommitdiff
path: root/libs/androidfw/CursorWindow.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'libs/androidfw/CursorWindow.cpp')
-rw-r--r--libs/androidfw/CursorWindow.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/libs/androidfw/CursorWindow.cpp b/libs/androidfw/CursorWindow.cpp
index 166863c0d91a..5694115f61aa 100644
--- a/libs/androidfw/CursorWindow.cpp
+++ b/libs/androidfw/CursorWindow.cpp
@@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor
if (dupAshmemFd < 0) {
result = -errno;
} else {
+ // the size of the ashmem descriptor can be modified between ashmem_get_size_region
+ // call and mmap, so we'll check again immediately after memory is mapped
void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0);
if (data == MAP_FAILED) {
result = -errno;
+ } else if (ashmem_get_size_region(dupAshmemFd) != size) {
+ ::munmap(data, size);
+ result = BAD_VALUE;
} else {
CursorWindow* window = new CursorWindow(name, dupAshmemFd,
data, size, true /*readOnly*/);
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 10:29:25 +0000