diff options
author | Michael Wachenschwanz <mwachens@google.com> | 2018-08-24 21:50:35 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-03-15 23:13:15 +0000 |
commit | aa6236c139750fe3fae53fb1c98e49acb4360f70 (patch) | |
tree | 800233caeeed15271f6da38049d24acd4d94816e | |
parent | 545cc75b4ebcac4b15d541d84a3bfce8bfe5840f (diff) | |
download | base-aa6236c139750fe3fae53fb1c98e49acb4360f70.tar.gz |
Verify number of Map entries written to Parcel
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.
Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit 057a01d1f38e9b46d3faa4059fdd7c8717681ea0)
-rw-r--r-- | core/java/android/os/Parcel.java | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java index 74dcc0787b3b..deca473ce621 100644 --- a/core/java/android/os/Parcel.java +++ b/core/java/android/os/Parcel.java @@ -691,11 +691,19 @@ public final class Parcel { return; } Set<Map.Entry<String,Object>> entries = val.entrySet(); - writeInt(entries.size()); + int size = entries.size(); + writeInt(size); + for (Map.Entry<String,Object> e : entries) { writeValue(e.getKey()); writeValue(e.getValue()); + size--; } + + if (size != 0) { + throw new BadParcelableException("Map size does not match number of entries!"); + } + } /** |