Merge changes from topic "am-100638f4-8d58-47a0-b84b-5e3b7006a2a7" into oc-dev
* changes:
[automerger] [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: f5edb02e9e am: 31bfe0a842 am: f40ecb8468 am: 26b3896f40 skipped: 8f60131524
[automerger] [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: f5edb02e9e am: 31bfe0a842 am: f40ecb8468 am: 26b3896f40
[automerger] [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: f5edb02e9e am: 31bfe0a842 am: f40ecb8468
[automerger] [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: f5edb02e9e am: 31bfe0a842
[automerger] [RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: f5edb02e9e
[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 9d96dd6..ca8277d 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2013,8 +2013,8 @@
const char* Parcel::readCString() const
{
- const size_t avail = mDataSize-mDataPos;
- if (avail > 0) {
+ if (mDataPos < mDataSize) {
+ const size_t avail = mDataSize-mDataPos;
const char* str = reinterpret_cast<const char*>(mData+mDataPos);
// is the string's trailing NUL within the parcel's valid bounds?
const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
diff --git a/libs/binder/Status.cpp b/libs/binder/Status.cpp
index 006f7f9..8b9dee8 100644
--- a/libs/binder/Status.cpp
+++ b/libs/binder/Status.cpp
@@ -76,13 +76,23 @@
// Skip over fat response headers. Not used (or propagated) in native code.
if (mException == EX_HAS_REPLY_HEADER) {
// Note that the header size includes the 4 byte size field.
- const int32_t header_start = parcel.dataPosition();
+ const size_t header_start = parcel.dataPosition();
+ // Get available size before reading more
+ const size_t header_avail = parcel.dataAvail();
+
int32_t header_size;
status = parcel.readInt32(&header_size);
if (status != OK) {
setFromStatusT(status);
return status;
}
+
+ if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+ android_errorWriteLog(0x534e4554, "132650049");
+ setFromStatusT(UNKNOWN_ERROR);
+ return UNKNOWN_ERROR;
+ }
+
parcel.setDataPosition(header_start + header_size);
// And fat response headers are currently only used when there are no
// exceptions, so act like there was no error.
@@ -106,13 +116,23 @@
status = parcel.readInt32(&mErrorCode);
} else if (mException == EX_PARCELABLE) {
// Skip over the blob of Parcelable data
- const int32_t header_start = parcel.dataPosition();
+ const size_t header_start = parcel.dataPosition();
+ // Get available size before reading more
+ const size_t header_avail = parcel.dataAvail();
+
int32_t header_size;
status = parcel.readInt32(&header_size);
if (status != OK) {
setFromStatusT(status);
return status;
}
+
+ if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+ android_errorWriteLog(0x534e4554, "132650049");
+ setFromStatusT(UNKNOWN_ERROR);
+ return UNKNOWN_ERROR;
+ }
+
parcel.setDataPosition(header_start + header_size);
}
if (status != OK) {