Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0db4fced authored by Steven Moreland's avatar Steven Moreland
Browse files

libbinder: Parcel: grow rejects large data pos 

This is unexpected behavior so throw an error.
Allocating this much memory may cause OOM or
other issues.

Bug: 370831157
Test: fuzzer
Merged-In: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
Change-Id: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
(cherry picked from commit 608524d4)
parent 001bb2fb

libs/binder/Parcel.cpp

+8 −0
Original line number Diff line number Diff line
@@ -2253,6 +2253,14 @@ status_t Parcel::growData(size_t len) 
        return BAD_VALUE;

    }



    if (mDataPos > mDataSize) {

        // b/370831157 - this case used to abort. We also don't expect mDataPos < mDataSize, but

        // this would only waste a bit of memory, so it's okay.

        ALOGE("growData only expected at the end of a Parcel. pos: %zu, size: %zu, capacity: %zu",

              mDataPos, len, mDataCapacity);

        return BAD_VALUE;

    }



    if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow

    if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow

    size_t newSize = ((mDataSize+len)*3)/2;