diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2019-06-11 21:07:32 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-06-11 21:07:32 +0000 |
commit | 314ee981506a33eb71450a5ee8180e872a5151ad (patch) | |
tree | 85f7a917f379279e8b9072bccdc10c7407caf1c9 | |
parent | 42a149d853a6af9b6a04ef00ba644319a4c13ead (diff) | |
parent | 8c1fdfb56a727afc3d592dae1dd92f7637ebc4a4 (diff) | |
download | native-pie-qpr3-release.tar.gz |
Merge cherrypicks of [7982564, 7982192, 7982565, 7981411, 7982522, 7982682, 7982193, 7982194, 7982523, 7982480, 7982623, 7981412, 7981413, 7982605, 7982606, 7982607, 7982608, 7981749, 7981750, 7981751, 7981752, 7981753, 7981754, 7982624, 7982394, 7982395, 7982625, 7982687, 7982566, 7982567, 7982568, 7982688, 7982689, 7982690, 7982195, 7982196, 7982611, 7982612, 7982396, 7982694, 7982695, 7982215] into pi-qpr3-releaseandroid-9.0.0_r46pie-qpr3-release
Change-Id: I6811eee2f912b12dfae6ae70a549ed5805f3abbc
-rw-r--r-- | libs/binder/Parcel.cpp | 4 | ||||
-rw-r--r-- | libs/binder/Status.cpp | 31 |
2 files changed, 31 insertions, 4 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 2e7edd7a28..8e206f501f 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -2013,8 +2013,8 @@ status_t Parcel::readUtf8FromUtf16(std::unique_ptr<std::string>* str) const { const char* Parcel::readCString() const { - const size_t avail = mDataSize-mDataPos; - if (avail > 0) { + if (mDataPos < mDataSize) { + const size_t avail = mDataSize-mDataPos; const char* str = reinterpret_cast<const char*>(mData+mDataPos); // is the string's trailing NUL within the parcel's valid bounds? const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail)); diff --git a/libs/binder/Status.cpp b/libs/binder/Status.cpp index a9d5055549..fe0e5924c8 100644 --- a/libs/binder/Status.cpp +++ b/libs/binder/Status.cpp @@ -76,13 +76,23 @@ status_t Status::readFromParcel(const Parcel& parcel) { // Skip over fat response headers. Not used (or propagated) in native code. if (mException == EX_HAS_REPLY_HEADER) { // Note that the header size includes the 4 byte size field. - const int32_t header_start = parcel.dataPosition(); + const size_t header_start = parcel.dataPosition(); + // Get available size before reading more + const size_t header_avail = parcel.dataAvail(); + int32_t header_size; status = parcel.readInt32(&header_size); if (status != OK) { setFromStatusT(status); return status; } + + if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { + android_errorWriteLog(0x534e4554, "132650049"); + setFromStatusT(UNKNOWN_ERROR); + return UNKNOWN_ERROR; + } + parcel.setDataPosition(header_start + header_size); // And fat response headers are currently only used when there are no // exceptions, so act like there was no error. @@ -109,19 +119,36 @@ status_t Status::readFromParcel(const Parcel& parcel) { setFromStatusT(status); return status; } + if (remote_stack_trace_header_size < 0 || + static_cast<size_t>(remote_stack_trace_header_size) > parcel.dataAvail()) { + + android_errorWriteLog(0x534e4554, "132650049"); + setFromStatusT(UNKNOWN_ERROR); + return UNKNOWN_ERROR; + } parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); if (mException == EX_SERVICE_SPECIFIC) { status = parcel.readInt32(&mErrorCode); } else if (mException == EX_PARCELABLE) { // Skip over the blob of Parcelable data - const int32_t header_start = parcel.dataPosition(); + const size_t header_start = parcel.dataPosition(); + // Get available size before reading more + const size_t header_avail = parcel.dataAvail(); + int32_t header_size; status = parcel.readInt32(&header_size); if (status != OK) { setFromStatusT(status); return status; } + + if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { + android_errorWriteLog(0x534e4554, "132650049"); + setFromStatusT(UNKNOWN_ERROR); + return UNKNOWN_ERROR; + } + parcel.setDataPosition(header_start + header_size); } if (status != OK) { |