Merge "[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets." into oc-dev

    // Skip over fat response headers.  Not used (or propagated) in native code.

    if (mException == EX_HAS_REPLY_HEADER) {

        // Note that the header size includes the 4 byte size field.

        const int32_t header_start = parcel.dataPosition();

        const size_t header_start = parcel.dataPosition();

        // Get available size before reading more

        const size_t header_avail = parcel.dataAvail();

        int32_t header_size;

        status = parcel.readInt32(&header_size);

        if (status != OK) {

            setFromStatusT(status);

            return status;

        }

        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {

            android_errorWriteLog(0x534e4554, "132650049");

            setFromStatusT(UNKNOWN_ERROR);

            return UNKNOWN_ERROR;

        }

        parcel.setDataPosition(header_start + header_size);

        // And fat response headers are currently only used when there are no

        // exceptions, so act like there was no error.

        status = parcel.readInt32(&mErrorCode);

    } else if (mException == EX_PARCELABLE) {

        // Skip over the blob of Parcelable data

        const int32_t header_start = parcel.dataPosition();

        const size_t header_start = parcel.dataPosition();

        // Get available size before reading more

        const size_t header_avail = parcel.dataAvail();

        int32_t header_size;

        status = parcel.readInt32(&header_size);

        if (status != OK) {

            setFromStatusT(status);

            return status;

        }

        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {

            android_errorWriteLog(0x534e4554, "132650049");

            setFromStatusT(UNKNOWN_ERROR);

            return UNKNOWN_ERROR;

        }

        parcel.setDataPosition(header_start + header_size);

    }

    if (status != OK) {