Loading libs/binder/Parcel.cpp +4 −0 Original line number Diff line number Diff line Loading @@ -375,6 +375,10 @@ size_t Parcel::dataSize() const return (mDataSize > mDataPos ? mDataSize : mDataPos); } size_t Parcel::dataBufferSize() const { return mDataSize; } size_t Parcel::dataAvail() const { size_t result = dataSize() - dataPosition(); Loading libs/binder/include/binder/Parcel.h +1 −0 Original line number Diff line number Diff line Loading @@ -75,6 +75,7 @@ public: size_t dataAvail() const; size_t dataPosition() const; size_t dataCapacity() const; size_t dataBufferSize() const; status_t setDataSize(size_t size); Loading libs/binder/ndk/parcel.cpp +4 −1 Original line number Diff line number Diff line Loading @@ -695,7 +695,10 @@ binder_status_t AParcel_marshal(const AParcel* parcel, uint8_t* buffer, size_t s if (parcel->get()->objectsCount()) { return STATUS_INVALID_OPERATION; } int32_t dataSize = AParcel_getDataSize(parcel); // b/264739302 - getDataSize will return dataPos if it is greater than dataSize // which will cause crashes in memcpy at later point. Instead compare with // actual length of internal buffer int32_t dataSize = parcel->get()->dataBufferSize(); if (len > static_cast<size_t>(dataSize) || start > static_cast<size_t>(dataSize) - len) { return STATUS_BAD_VALUE; } Loading Loading
libs/binder/Parcel.cpp +4 −0 Original line number Diff line number Diff line Loading @@ -375,6 +375,10 @@ size_t Parcel::dataSize() const return (mDataSize > mDataPos ? mDataSize : mDataPos); } size_t Parcel::dataBufferSize() const { return mDataSize; } size_t Parcel::dataAvail() const { size_t result = dataSize() - dataPosition(); Loading
libs/binder/include/binder/Parcel.h +1 −0 Original line number Diff line number Diff line Loading @@ -75,6 +75,7 @@ public: size_t dataAvail() const; size_t dataPosition() const; size_t dataCapacity() const; size_t dataBufferSize() const; status_t setDataSize(size_t size); Loading
libs/binder/ndk/parcel.cpp +4 −1 Original line number Diff line number Diff line Loading @@ -695,7 +695,10 @@ binder_status_t AParcel_marshal(const AParcel* parcel, uint8_t* buffer, size_t s if (parcel->get()->objectsCount()) { return STATUS_INVALID_OPERATION; } int32_t dataSize = AParcel_getDataSize(parcel); // b/264739302 - getDataSize will return dataPos if it is greater than dataSize // which will cause crashes in memcpy at later point. Instead compare with // actual length of internal buffer int32_t dataSize = parcel->get()->dataBufferSize(); if (len > static_cast<size_t>(dataSize) || start > static_cast<size_t>(dataSize) - len) { return STATUS_BAD_VALUE; } Loading
