libbinder: readCString: no ubsan sub-overflow

Bug: 131859347 Test: fuzzer Change-Id: I95a0f59684a172925f1eab97ff21e5d14bc79cc8 Merged-In: I95a0f59684a172925f1eab97ff21e5d14bc79cc8 (cherry picked from commit d0d4b584fc294d2c124385644099852918416344)
author: Steven Moreland <smoreland@google.com> 2019-05-17 13:14:06 -0700
committer: Nikoli Cartagena <dargeren@google.com> 2019-06-10 18:52:21 -0700
commit: 6dc120c3e42e96dc6523c75d37b5f87a9c63daae (patch)
tree: c66f59a6f67b63699876b392f988daeed98d44de
parent: 1121931400ad8d81ae0b15939281e5248cb414bb (diff)
download: native-6dc120c3e42e96dc6523c75d37b5f87a9c63daae.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 2e7edd7a28..8e206f501f 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2013,8 +2013,8 @@ status_t Parcel::readUtf8FromUtf16(std::unique_ptr<std::string>* str) const {
 
 const char* Parcel::readCString() const
 {
-    const size_t avail = mDataSize-mDataPos;
-    if (avail > 0) {
+    if (mDataPos < mDataSize) {
+        const size_t avail = mDataSize-mDataPos;
         const char* str = reinterpret_cast<const char*>(mData+mDataPos);
         // is the string's trailing NUL within the parcel's valid bounds?
         const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
author	Steven Moreland <smoreland@google.com>	2019-05-17 13:14:06 -0700
committer	Nikoli Cartagena <dargeren@google.com>	2019-06-10 18:52:21 -0700
commit	6dc120c3e42e96dc6523c75d37b5f87a9c63daae (patch)
tree	c66f59a6f67b63699876b392f988daeed98d44de
parent	1121931400ad8d81ae0b15939281e5248cb414bb (diff)
download	native-6dc120c3e42e96dc6523c75d37b5f87a9c63daae.tar.gz