Merge "libbinder: Parcel: validate read data before write" into tm-dev am:... (d494cf97) · Commits · e / devices / smdk4412 / android_frameworks_native

libs/binder/Parcel.cpp

+12 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1090,6 +1090,10 @@ restart_write:
	//printf("Writing %ld bytes, padded to %ld\n", len, padded);		//printf("Writing %ld bytes, padded to %ld\n", len, padded);
	uint8_t* const data = mData+mDataPos;		uint8_t* const data = mData+mDataPos;

			if (status_t status = validateReadData(mDataPos + padded); status != OK) {
			return nullptr; // drops status
			}

	// Need to pad at end?		// Need to pad at end?
	if (padded != len) {		if (padded != len) {
	#if BYTE_ORDER == BIG_ENDIAN		#if BYTE_ORDER == BIG_ENDIAN
	@@ -1648,6 +1652,10 @@ status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
	const bool enoughObjects = kernelFields->mObjectsSize < kernelFields->mObjectsCapacity;		const bool enoughObjects = kernelFields->mObjectsSize < kernelFields->mObjectsCapacity;
	if (enoughData && enoughObjects) {		if (enoughData && enoughObjects) {
	restart_write:		restart_write:
			if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {
			return status;
			}

	reinterpret_cast<flat_binder_object>(mData+mDataPos) = val;		reinterpret_cast<flat_binder_object>(mData+mDataPos) = val;

	// remember if it's a file descriptor		// remember if it's a file descriptor
	@@ -1889,6 +1897,10 @@ status_t Parcel::writeAligned(T val) {

	if ((mDataPos+sizeof(val)) <= mDataCapacity) {		if ((mDataPos+sizeof(val)) <= mDataCapacity) {
	restart_write:		restart_write:
			if (status_t status = validateReadData(mDataPos + sizeof(val)); status != OK) {
			return status;
			}

	memcpy(mData + mDataPos, &val, sizeof(val));		memcpy(mData + mDataPos, &val, sizeof(val));
	return finishWrite(sizeof(val));		return finishWrite(sizeof(val));
	}		}