| commit | 62e48126cbbf630c29a8a5fb6df89976b9d20ccd | [log] [tgz] |
|---|---|---|
| author | Steven Moreland <smoreland@google.com> | Wed Oct 02 01:00:23 2024 +0000 |
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Fri Nov 22 16:55:16 2024 +0000 |
| tree | 1d992c1a7b0d12df6a14ffe13d1cde931ad60af3 | |
| parent | 7c3bec84d0f8a145331fc53f5d51dcd41a138ef5 [diff] [blame] |
libbinder: Parcel: grow rejects large data pos This is unexpected behavior so throw an error. Allocating this much memory may cause OOM or other issues. Bug: 370831157 Test: fuzzer (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:608524d462278c2c9f6716cd94f126c85e9f2e91) Merged-In: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4 Change-Id: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 4b7af45..b3e3f6e 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp
@@ -2948,6 +2948,14 @@ return BAD_VALUE; } + if (mDataPos > mDataSize) { + // b/370831157 - this case used to abort. We also don't expect mDataPos < mDataSize, but + // this would only waste a bit of memory, so it's okay. + ALOGE("growData only expected at the end of a Parcel. pos: %zu, size: %zu, capacity: %zu", + mDataPos, len, mDataCapacity); + return BAD_VALUE; + } + if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow size_t newSize = ((mDataSize+len)*3)/2;