Parcel: free objects before realloc Otherwise this would try to free the objects which have been written over in mData. Bug: 328177618 Test: with fuzzer Change-Id: I8929d11e3c1c193a1c36e95371b5e96e24d47ece

commit: c6b0dfa3358a152c9bfd1fc479753c6ba32b78eb [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Mar 05 09:10:02 2024 +0000
committer: Steven Moreland <smoreland@google.com> Tue Mar 05 09:10:02 2024 +0000
tree: 7ff407683c1dbca9443451cc019d95caaa7d9ccf
parent: 52f0fc4df9998505718c1f89dba99aa6893d6709 [diff]
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index c1770b3..4d1463c 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp

@@ -2930,14 +2930,14 @@
         return continueWrite(desired);
     }
 
+    releaseObjects();
+
     uint8_t* data = reallocZeroFree(mData, mDataCapacity, desired, mDeallocZero);
     if (!data && desired > mDataCapacity) {
         mError = NO_MEMORY;
         return NO_MEMORY;
     }
 
-    releaseObjects();
-
     if (data || desired == 0) {
         LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
         if (mDataCapacity > desired) {
commit	c6b0dfa3358a152c9bfd1fc479753c6ba32b78eb	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Mar 05 09:10:02 2024 +0000
committer	Steven Moreland <smoreland@google.com>	Tue Mar 05 09:10:02 2024 +0000
tree	7ff407683c1dbca9443451cc019d95caaa7d9ccf
parent	52f0fc4df9998505718c1f89dba99aa6893d6709 [diff]