Binder: Make sure binder objects do not overlap (4cab0fd7) · Commits · e / os / platform_frameworks_native

libs/binder/Parcel.cpp

+12 −0

Original line number	Diff line number	Diff line
		@@ -35,6 +35,7 @@

		#include <private/binder/binder_module.h>

		#include <inttypes.h>
		#include <stdio.h>
		#include <stdlib.h>
		#include <stdint.h>
		@@ -1342,6 +1343,7 @@ size_t Parcel::ipcObjectsCount() const
		void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
		const binder_size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
		{
		binder_size_t minOffset = 0;
		freeDataNoInit();
		mError = NO_ERROR;
		mData = const_cast<uint8_t*>(data);
		@@ -1354,6 +1356,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
		mNextObjectHint = 0;
		mOwner = relFunc;
		mOwnerCookie = relCookie;
		for (size_t i = 0; i < mObjectsSize; i++) {
		binder_size_t offset = mObjects[i];
		if (offset < minOffset) {
		ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n",
		__func__, (uint64_t)offset, (uint64_t)minOffset);
		mObjectsSize = 0;
		break;
		}
		minOffset = offset + sizeof(flat_binder_object);
		}
		scanForFds();
		}