Fix integer overflow in unsafeReadTypedVector am: 65a8f07e57 am: 894ba10a5f Change-Id: If93da0dbcbf78ea65e3ac950c5539861587526bb

commit: b7a1cc50d224140ee06a5a9d04b34fddf5ad7b3b [log] [tgz]
author: Casey Dahlin <sadmac@google.com> Tue Nov 15 23:57:07 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Tue Nov 15 23:57:07 2016 +0000
tree: 06421e98c287cf861e6a3ba65432036b2a686b35
parent: ce40ad244154c875f1e1fd3cdce2c1440fe8fb6a [diff]
parent: 894ba10a5fa404314649870a1bbf7a41fb7755bd [diff]
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 1c355c4..2490b82 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h

@@ -589,8 +589,16 @@
         return UNEXPECTED_NULL;
     }
 
+    if (val->max_size() < size) {
+        return NO_MEMORY;
+    }
+
     val->resize(size);
 
+    if (val->size() < size) {
+        return NO_MEMORY;
+    }
+
     for (auto& v: *val) {
         status = (this->*read_func)(&v);
commit	b7a1cc50d224140ee06a5a9d04b34fddf5ad7b3b	[log] [tgz]
author	Casey Dahlin <sadmac@google.com>	Tue Nov 15 23:57:07 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue Nov 15 23:57:07 2016 +0000
tree	06421e98c287cf861e6a3ba65432036b2a686b35
parent	ce40ad244154c875f1e1fd3cdce2c1440fe8fb6a [diff]
parent	894ba10a5fa404314649870a1bbf7a41fb7755bd [diff]