Update parcel data pointer after realloc with size 0 If restartWrite is called with desired size of 0, mData will be reallocated to size 0. This frees the memory and returns a null pointer. When this happends we need to update the stored data pointer and capacity otherwise we will crash with a double free when the object is desctructed. Bug: 157066561 Test: build POC included in bug. 'adb push binderMemSafety /data/local/tmp && adb shell /data/local/tmp/binderMemSafety'. Reproduce the crash without this change, then verify no crash with this change. This is also being added to STS. Ran 'atest -p' for binder tests. Change-Id: I494e954204ee4a312739ae8600e2cf545ea452e3

commit: 4a0a55e0b68e34f411e436b19e3997a81078cdeb [log] [tgz]
author: Devin Moore <devinmoore@google.com> Thu Jun 04 13:23:10 2020 -0700
committer: Devin Moore <devinmoore@google.com> Mon Jun 29 21:29:32 2020 +0000
tree: 0470cd26d6c413eaacffa94370a84880df76f63e
parent: d91b548ae0b14ea8e779d25e4a949b1a1ef67036 [diff] [blame]
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 9642a87..598fece 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp

@@ -2460,7 +2460,7 @@
 
     releaseObjects();
 
-    if (data) {
+    if (data || desired == 0) {
         LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
         pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
         gParcelGlobalAllocSize += desired;
commit	4a0a55e0b68e34f411e436b19e3997a81078cdeb	[log] [tgz]
author	Devin Moore <devinmoore@google.com>	Thu Jun 04 13:23:10 2020 -0700
committer	Devin Moore <devinmoore@google.com>	Mon Jun 29 21:29:32 2020 +0000
tree	0470cd26d6c413eaacffa94370a84880df76f63e
parent	d91b548ae0b14ea8e779d25e4a949b1a1ef67036 [diff] [blame]