Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc41940e authored by Steven Moreland's avatar Steven Moreland Committed by android-build-merger
Browse files

[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets. am: 00d4358f 

am: f983d92c

Change-Id: Ib1e86fce0a4dd1796f173c1887a43314944767a1
parents 9d5523b8 f983d92c

libs/binder/Status.cpp

+22 −2
Original line number Original line Diff line number Diff line
@@ -76,13 +76,23 @@ status_t Status::readFromParcel(const Parcel& parcel) { 
    // Skip over fat response headers.  Not used (or propagated) in native code.

    // Skip over fat response headers.  Not used (or propagated) in native code.

    if (mException == EX_HAS_REPLY_HEADER) {

    if (mException == EX_HAS_REPLY_HEADER) {

        // Note that the header size includes the 4 byte size field.

        // Note that the header size includes the 4 byte size field.

        const int32_t header_start = parcel.dataPosition();

        const size_t header_start = parcel.dataPosition();

        // Get available size before reading more

        const size_t header_avail = parcel.dataAvail();



        int32_t header_size;

        int32_t header_size;

        status = parcel.readInt32(&header_size);

        status = parcel.readInt32(&header_size);

        if (status != OK) {

        if (status != OK) {

            setFromStatusT(status);

            setFromStatusT(status);

            return status;

            return status;

        }

        }



        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {

            android_errorWriteLog(0x534e4554, "132650049");

            setFromStatusT(UNKNOWN_ERROR);

            return UNKNOWN_ERROR;

        }



        parcel.setDataPosition(header_start + header_size);

        parcel.setDataPosition(header_start + header_size);

        // And fat response headers are currently only used when there are no

        // And fat response headers are currently only used when there are no

        // exceptions, so act like there was no error.

        // exceptions, so act like there was no error.
@@ -106,13 +116,23 @@ status_t Status::readFromParcel(const Parcel& parcel) { 
        status = parcel.readInt32(&mErrorCode);

        status = parcel.readInt32(&mErrorCode);

    } else if (mException == EX_PARCELABLE) {

    } else if (mException == EX_PARCELABLE) {

        // Skip over the blob of Parcelable data

        // Skip over the blob of Parcelable data

        const int32_t header_start = parcel.dataPosition();

        const size_t header_start = parcel.dataPosition();

        // Get available size before reading more

        const size_t header_avail = parcel.dataAvail();



        int32_t header_size;

        int32_t header_size;

        status = parcel.readInt32(&header_size);

        status = parcel.readInt32(&header_size);

        if (status != OK) {

        if (status != OK) {

            setFromStatusT(status);

            setFromStatusT(status);

            return status;

            return status;

        }

        }



        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {

            android_errorWriteLog(0x534e4554, "132650049");

            setFromStatusT(UNKNOWN_ERROR);

            return UNKNOWN_ERROR;

        }



        parcel.setDataPosition(header_start + header_size);

        parcel.setDataPosition(header_start + header_size);

    }

    }

    if (status != OK) {

    if (status != OK) {