diff options
| author | Casey Dahlin <sadmac@google.com> | 2016-10-26 17:18:25 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-12-01 14:47:04 -0800 |
| commit | e5753ba087fa59ee02f6026cc13b1ceb42a1f266 (patch) | |
| tree | 636e7683ce010761d3713048814100fc824ac5fd | |
| parent | f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 (diff) | |
| download | native-e5753ba087fa59ee02f6026cc13b1ceb42a1f266.tar.gz | |
Fix integer overflow in unsafeReadTypedVector
Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.
Test: Verified reproducer attached to bug no longer crashes Camera
service.
Bug: 31677614
Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7
(cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
| -rw-r--r-- | include/binder/Parcel.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h index 1c355c4689..2490b82bb2 100644 --- a/include/binder/Parcel.h +++ b/include/binder/Parcel.h @@ -589,8 +589,16 @@ status_t Parcel::unsafeReadTypedVector( return UNEXPECTED_NULL; } + if (val->max_size() < size) { + return NO_MEMORY; + } + val->resize(size); + if (val->size() < size) { + return NO_MEMORY; + } + for (auto& v: *val) { status = (this->*read_func)(&v); |