libbinder: readCString: no ubsan sub-overflow Bug: 131859347 Test: fuzzer Change-Id: I95a0f59684a172925f1eab97ff21e5d14bc79cc8

commit: f5e6c7e5fade7dd2b416c896b39fd1d4a23e8713 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Fri May 17 13:14:06 2019 -0700
committer: Steven Moreland <smoreland@google.com> Fri May 17 13:21:39 2019 -0700
tree: 86d879723d6b350a44f50b02aedcc831bcdf2f09
parent: 0419884f22d8e390b1aa9a55a6d9664176983571 [diff] [blame]
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 0c57335..580573e 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp

@@ -2074,8 +2074,8 @@
 
 const char* Parcel::readCString() const
 {
-    const size_t avail = mDataSize-mDataPos;
-    if (avail > 0) {
+    if (mDataPos < mDataSize) {
+        const size_t avail = mDataSize-mDataPos;
         const char* str = reinterpret_cast<const char*>(mData+mDataPos);
         // is the string's trailing NUL within the parcel's valid bounds?
         const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
commit	f5e6c7e5fade7dd2b416c896b39fd1d4a23e8713	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Fri May 17 13:14:06 2019 -0700
committer	Steven Moreland <smoreland@google.com>	Fri May 17 13:21:39 2019 -0700
tree	86d879723d6b350a44f50b02aedcc831bcdf2f09
parent	0419884f22d8e390b1aa9a55a6d9664176983571 [diff] [blame]