Use resizeOutVector in IncidentReportArg IncidentReportArg doesn't handle cases when incorrect vector length is provided in parcel. Using resizeOutVector Parcel API instead. Test: atest incidentd_test Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer with clusterfuzz testcase Bug: 283079842 Change-Id: I1682c8920c64faf5b0f2f6cd54b8517ec0f5d877

commit: 3c3e36876f5476a217b5a692c8d58bbdd3c60b59 [log] [tgz]
author: Pawan Wagh <waghpawan@google.com> Thu May 18 20:23:44 2023 +0000
committer: Pawan Wagh <waghpawan@google.com> Thu May 18 20:31:30 2023 +0000
tree: 8a577ca45a0f5cfe497b5b481dd500e166321049
parent: 3c0960d65a289ba6f1c84020b258beea31b1d6fc [diff] [blame]
diff --git a/libs/incident/src/IncidentReportArgs.cpp b/libs/incident/src/IncidentReportArgs.cpp
index db495cf..d344a981 100644
--- a/libs/incident/src/IncidentReportArgs.cpp
+++ b/libs/incident/src/IncidentReportArgs.cpp

@@ -133,13 +133,12 @@
         mSections.insert(section);
     }
 
-    int32_t headerCount;
-    err = in->readInt32(&headerCount);
+    err = in->resizeOutVector<vector<uint8_t>>(&mHeaders);
     if (err != NO_ERROR) {
         return err;
     }
-    mHeaders.resize(headerCount);
-    for (int i=0; i<headerCount; i++) {
+
+    for (int i=0; i<mHeaders.size(); i++) {
         err = in->readByteVector(&mHeaders[i]);
         if (err != NO_ERROR) {
             return err;
commit	3c3e36876f5476a217b5a692c8d58bbdd3c60b59	[log] [tgz]
author	Pawan Wagh <waghpawan@google.com>	Thu May 18 20:23:44 2023 +0000
committer	Pawan Wagh <waghpawan@google.com>	Thu May 18 20:31:30 2023 +0000
tree	8a577ca45a0f5cfe497b5b481dd500e166321049
parent	3c0960d65a289ba6f1c84020b258beea31b1d6fc [diff] [blame]