Loading libs/binder/Status.cpp +29 −2 Original line number Original line Diff line number Diff line Loading @@ -102,13 +102,23 @@ status_t Status::readFromParcel(const Parcel& parcel) { // Skip over fat response headers. Not used (or propagated) in native code. // Skip over fat response headers. Not used (or propagated) in native code. if (mException == EX_HAS_REPLY_HEADER) { if (mException == EX_HAS_REPLY_HEADER) { // Note that the header size includes the 4 byte size field. // Note that the header size includes the 4 byte size field. const int32_t header_start = parcel.dataPosition(); const size_t header_start = parcel.dataPosition(); // Get available size before reading more const size_t header_avail = parcel.dataAvail(); int32_t header_size; int32_t header_size; status = parcel.readInt32(&header_size); status = parcel.readInt32(&header_size); if (status != OK) { if (status != OK) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(header_start + header_size); parcel.setDataPosition(header_start + header_size); // And fat response headers are currently only used when there are no // And fat response headers are currently only used when there are no // exceptions, so act like there was no error. // exceptions, so act like there was no error. Loading @@ -135,19 +145,36 @@ status_t Status::readFromParcel(const Parcel& parcel) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (remote_stack_trace_header_size < 0 || static_cast<size_t>(remote_stack_trace_header_size) > parcel.dataAvail()) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); if (mException == EX_SERVICE_SPECIFIC) { if (mException == EX_SERVICE_SPECIFIC) { status = parcel.readInt32(&mErrorCode); status = parcel.readInt32(&mErrorCode); } else if (mException == EX_PARCELABLE) { } else if (mException == EX_PARCELABLE) { // Skip over the blob of Parcelable data // Skip over the blob of Parcelable data const int32_t header_start = parcel.dataPosition(); const size_t header_start = parcel.dataPosition(); // Get available size before reading more const size_t header_avail = parcel.dataAvail(); int32_t header_size; int32_t header_size; status = parcel.readInt32(&header_size); status = parcel.readInt32(&header_size); if (status != OK) { if (status != OK) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(header_start + header_size); parcel.setDataPosition(header_start + header_size); } } if (status != OK) { if (status != OK) { Loading Loading
libs/binder/Status.cpp +29 −2 Original line number Original line Diff line number Diff line Loading @@ -102,13 +102,23 @@ status_t Status::readFromParcel(const Parcel& parcel) { // Skip over fat response headers. Not used (or propagated) in native code. // Skip over fat response headers. Not used (or propagated) in native code. if (mException == EX_HAS_REPLY_HEADER) { if (mException == EX_HAS_REPLY_HEADER) { // Note that the header size includes the 4 byte size field. // Note that the header size includes the 4 byte size field. const int32_t header_start = parcel.dataPosition(); const size_t header_start = parcel.dataPosition(); // Get available size before reading more const size_t header_avail = parcel.dataAvail(); int32_t header_size; int32_t header_size; status = parcel.readInt32(&header_size); status = parcel.readInt32(&header_size); if (status != OK) { if (status != OK) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(header_start + header_size); parcel.setDataPosition(header_start + header_size); // And fat response headers are currently only used when there are no // And fat response headers are currently only used when there are no // exceptions, so act like there was no error. // exceptions, so act like there was no error. Loading @@ -135,19 +145,36 @@ status_t Status::readFromParcel(const Parcel& parcel) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (remote_stack_trace_header_size < 0 || static_cast<size_t>(remote_stack_trace_header_size) > parcel.dataAvail()) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size); if (mException == EX_SERVICE_SPECIFIC) { if (mException == EX_SERVICE_SPECIFIC) { status = parcel.readInt32(&mErrorCode); status = parcel.readInt32(&mErrorCode); } else if (mException == EX_PARCELABLE) { } else if (mException == EX_PARCELABLE) { // Skip over the blob of Parcelable data // Skip over the blob of Parcelable data const int32_t header_start = parcel.dataPosition(); const size_t header_start = parcel.dataPosition(); // Get available size before reading more const size_t header_avail = parcel.dataAvail(); int32_t header_size; int32_t header_size; status = parcel.readInt32(&header_size); status = parcel.readInt32(&header_size); if (status != OK) { if (status != OK) { setFromStatusT(status); setFromStatusT(status); return status; return status; } } if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) { android_errorWriteLog(0x534e4554, "132650049"); setFromStatusT(UNKNOWN_ERROR); return UNKNOWN_ERROR; } parcel.setDataPosition(header_start + header_size); parcel.setDataPosition(header_start + header_size); } } if (status != OK) { if (status != OK) { Loading
