Fix integer overflow in unsafeReadTypedVector

Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
author: Casey Dahlin <sadmac@google.com> 2016-10-26 17:18:25 -0700
committer: gitbuildkicker <android-build@google.com> 2016-11-30 10:18:55 -0800
commit: e5543013be3ac71f74c5acac358eba0a5e460401 (patch)
tree: 44167cd6e9364f9b83e7c625ecdc2200d745352f
parent: 866c6cae028bb738c880be2123ab5223aa536824 (diff)
download: native-e5543013be3ac71f74c5acac358eba0a5e460401.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 1c355c4689..2490b82bb2 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h
@@ -589,8 +589,16 @@ status_t Parcel::unsafeReadTypedVector(
         return UNEXPECTED_NULL;
     }
 
+    if (val->max_size() < size) {
+        return NO_MEMORY;
+    }
+
     val->resize(size);
 
+    if (val->size() < size) {
+        return NO_MEMORY;
+    }
+
     for (auto& v: *val) {
         status = (this->*read_func)(&v);
author	Casey Dahlin <sadmac@google.com>	2016-10-26 17:18:25 -0700
committer	gitbuildkicker <android-build@google.com>	2016-11-30 10:18:55 -0800
commit	e5543013be3ac71f74c5acac358eba0a5e460401 (patch)
tree	44167cd6e9364f9b83e7c625ecdc2200d745352f
parent	866c6cae028bb738c880be2123ab5223aa536824 (diff)
download	native-e5543013be3ac71f74c5acac358eba0a5e460401.tar.gz