Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5edb02e authored by Bryan Ferris's avatar Bryan Ferris
Browse files

[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. 

Bug: 132650049
Test: fuzzer
Change-Id: Id230eae4316a444bc82b416b2049d5a5f589f89a
parent cb2f0cee

libs/binder/Status.cpp

+11 −1
Original line number Diff line number Diff line
@@ -66,13 +66,22 @@ status_t Status::readFromParcel(const Parcel& parcel) { 
    // Skip over fat response headers.  Not used (or propagated) in native code.

    if (mException == EX_HAS_REPLY_HEADER) {

        // Note that the header size includes the 4 byte size field.

        const int32_t header_start = parcel.dataPosition();

        const size_t header_start = parcel.dataPosition();

        const size_t header_avail = parcel.dataAvail();



        int32_t header_size;

        status = parcel.readInt32(&header_size);

        if (status != OK) {

            setFromStatusT(status);

            return status;

        }



        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {

          android_errorWriteLog(0x534e4554, "132650049");

          setFromStatusT(UNKNOWN_ERROR);

          return UNKNOWN_ERROR;

        }



        parcel.setDataPosition(header_start + header_size);

        // And fat response headers are currently only used when there are no

        // exceptions, so act like there was no error.
@@ -95,6 +104,7 @@ status_t Status::readFromParcel(const Parcel& parcel) { 
    if (mException == EX_SERVICE_SPECIFIC) {

        status = parcel.readInt32(&mErrorCode);

    }



    if (status != OK) {

        setFromStatusT(status);

        return status;