Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a100b381 authored by Fyodor Kupolov's avatar Fyodor Kupolov Committed by Basil Gello
Browse files

Verify last array's length in readFromParcel 

Length of the last array in readFromParcel should be the same as
value of mNextIndex.

Test: PoC app in the bug
Bug: 73252178
Change-Id: I69f935949e945c3a036b19b4f88684d906079ea5
(cherry picked from commit 3b8bc2e4)
CVE-2017-13311
parent 641f46a2

core/java/com/android/internal/app/procstats/SparseMappingTable.java

+7 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ package com.android.internal.app.procstats; 


import android.os.Build;

import android.os.Parcel;

import android.util.EventLog;

import android.util.Slog;

import libcore.util.EmptyArray;
@@ -529,6 +530,12 @@ public class SparseMappingTable { 
            readCompactedLongArray(in, array, size);

            mLongs.add(array);

        }

        // Verify that last array's length is consistent with writeToParcel

        if (N > 0 && mLongs.get(N - 1).length != mNextIndex) {

            EventLog.writeEvent(0x534e4554, "73252178", -1, "");

            throw new IllegalStateException("Expected array of length " + mNextIndex + " but was "

                    + mLongs.get(N - 1).length);

        }

    }



    /**