Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 65a8f07e authored by Casey Dahlin's avatar Casey Dahlin
Browse files

Fix integer overflow in unsafeReadTypedVector 

Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.

Test: Verified reproducer attached to bug no longer crashes Camera
      service.
Bug: 31677614

Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7
parent 82110471

include/binder/Parcel.h

+8 −0
Original line number Diff line number Diff line
@@ -589,8 +589,16 @@ status_t Parcel::unsafeReadTypedVector( 
        return UNEXPECTED_NULL;

    }



    if (val->max_size() < size) {

        return NO_MEMORY;

    }



    val->resize(size);



    if (val->size() < size) {

        return NO_MEMORY;

    }



    for (auto& v: *val) {

        status = (this->*read_func)(&v);