Check mDataPos to see if the Parcel needs to grow
Flag: EXEMPT bug fix
Ignore-AOSP-First: security fix
Test: atest binderUnitTest
Bug: 399155883
Change-Id: I38b755ca3381cfca3300292873f763823fbf169b
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 777c22a..2c37624 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -542,7 +542,7 @@
return BAD_VALUE;
}
- if ((mDataSize+len) > mDataCapacity) {
+ if ((mDataPos + len) > mDataCapacity) {
// grow data
err = growData(len);
if (err != NO_ERROR) {
diff --git a/libs/binder/tests/binderParcelUnitTest.cpp b/libs/binder/tests/binderParcelUnitTest.cpp
index 6259d9d..a71da3f 100644
--- a/libs/binder/tests/binderParcelUnitTest.cpp
+++ b/libs/binder/tests/binderParcelUnitTest.cpp
@@ -197,6 +197,17 @@
ASSERT_EQ(2, p2.readInt32());
}
+TEST(Parcel, AppendWithBadDataPos) {
+ Parcel p1;
+ p1.writeInt32(1);
+ p1.writeInt32(1);
+ Parcel p2;
+ p2.setDataCapacity(8);
+ p2.setDataPosition(10000);
+
+ EXPECT_EQ(android::BAD_VALUE, p2.appendFrom(&p1, 0, 8));
+}
+
TEST(Parcel, HasBinders) {
sp<IBinder> b1 = sp<BBinder>::make();