Check for data buffer size while marshalling parcel Checking for internal buffer size which should handle cases where parcel has position set beyond datasize and data size is actually returning the data position. Test: m && acloud delete --all && acloud create --local-image --local-instance && atest -c CtsNdkBinderTestCases Test: m binder_parcel_fuzzer && out/host/linux-x86/fuzz/x86_64/binder_parcel_fuzzer/binder_parcel_fuzzer Bug: 264739302 Change-Id: Ib6c49fde1c1a56bae3932ce9af731a200b8a8faa

commit: d886a44612edf74cfa7658c82d9c2a71667b017c [log] [tgz]
author: Pawan Wagh <waghpawan@google.com> Sat Jan 21 02:16:38 2023 +0000
committer: Pawan Wagh <waghpawan@google.com> Mon Jan 23 23:34:06 2023 +0000
tree: b0e634f281c850a337f4f44698c8a55861019128
parent: d30f8081952cc0f4a4827a397011ff6148fb77a7 [diff] [blame]
diff --git a/libs/binder/ndk/parcel.cpp b/libs/binder/ndk/parcel.cpp
index 94f72d9..b5a2e2f 100644
--- a/libs/binder/ndk/parcel.cpp
+++ b/libs/binder/ndk/parcel.cpp

@@ -695,7 +695,10 @@
     if (parcel->get()->objectsCount()) {
         return STATUS_INVALID_OPERATION;
     }
-    int32_t dataSize = AParcel_getDataSize(parcel);
+    // b/264739302 - getDataSize will return dataPos if it is greater than dataSize
+    // which will cause crashes in memcpy at later point. Instead compare with
+    // actual length of internal buffer
+    int32_t dataSize = parcel->get()->dataBufferSize();
     if (len > static_cast<size_t>(dataSize) || start > static_cast<size_t>(dataSize) - len) {
         return STATUS_BAD_VALUE;
     }
commit	d886a44612edf74cfa7658c82d9c2a71667b017c	[log] [tgz]
author	Pawan Wagh <waghpawan@google.com>	Sat Jan 21 02:16:38 2023 +0000
committer	Pawan Wagh <waghpawan@google.com>	Mon Jan 23 23:34:06 2023 +0000
tree	b0e634f281c850a337f4f44698c8a55861019128
parent	d30f8081952cc0f4a4827a397011ff6148fb77a7 [diff] [blame]