diff options
author | Steven Moreland <smoreland@google.com> | 2020-11-18 00:32:42 +0000 |
---|---|---|
committer | Steven Moreland <smoreland@google.com> | 2020-12-04 20:09:59 +0000 |
commit | 58f5cfa56d5282e69a7580dc4bb97603c409f003 (patch) | |
tree | 4717ace370be83e337c26e372cf798aeeac2b252 | |
parent | 607a9a94cfa3221f5997d21a19d0e9bb76eab798 (diff) | |
download | native-58f5cfa56d5282e69a7580dc4bb97603c409f003.tar.gz |
libbinder: check null bytes in readString*Inplace
This is entirely defensive, since the only real guarantee we have here
from these APIs is that a buffer of a given length is available.
However, since we write 0's here, presumably to guard against people
assuming these are null-terminated strings, we might as well enforce
that they are actually null terminated.
Bug: 172655291
Test: binderParcelTest (added in newer CL)
Change-Id: Ie879112540155f6a93b97aeaf3d41ed8ba4ae79f
Merged-In: Ie879112540155f6a93b97aeaf3d41ed8ba4ae79f
(cherry picked from commit 51e02b16c397c44ddf81a0736cf6045cd4c44128)
-rw-r--r-- | libs/binder/Parcel.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 9642a87f4e..1f7d27e0e9 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -1869,7 +1869,7 @@ const char* Parcel::readString8Inplace(size_t* outLen) const if (size >= 0 && size < INT32_MAX) { *outLen = size; const char* str = (const char*)readInplace(size+1); - if (str != nullptr) { + if (str != nullptr && str[size] == '\0') { return str; } } @@ -1929,7 +1929,7 @@ const char16_t* Parcel::readString16Inplace(size_t* outLen) const if (size >= 0 && size < INT32_MAX) { *outLen = size; const char16_t* str = (const char16_t*)readInplace((size+1)*sizeof(char16_t)); - if (str != nullptr) { + if (str != nullptr && str[size] == u'\0') { return str; } } |