Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6edc87ff authored Jan 24, 2023 by Pawan Wagh Committed by Automerger Merge Worker Jan 24, 2023

Merge "Check for data buffer size while marshalling parcel" am: c7a3e756 am: 2962439d

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2398097

Change-Id: I53a25c83590463c40736b8686fbc6d121c909406
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

parents 456418b3 2962439d

libs/binder/Parcel.cpp

+4 −0

Original line number	Diff line number	Diff line
		@@ -375,6 +375,10 @@ size_t Parcel::dataSize() const
		return (mDataSize > mDataPos ? mDataSize : mDataPos);
		}

		size_t Parcel::dataBufferSize() const {
		return mDataSize;
		}

		size_t Parcel::dataAvail() const
		{
		size_t result = dataSize() - dataPosition();

libs/binder/include/binder/Parcel.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -75,6 +75,7 @@ public:
		size_t dataAvail() const;
		size_t dataPosition() const;
		size_t dataCapacity() const;
		size_t dataBufferSize() const;

		status_t setDataSize(size_t size);

libs/binder/ndk/parcel.cpp

+4 −1

Original line number	Diff line number	Diff line
		@@ -695,7 +695,10 @@ binder_status_t AParcel_marshal(const AParcel* parcel, uint8_t* buffer, size_t s
		if (parcel->get()->objectsCount()) {
		return STATUS_INVALID_OPERATION;
		}
		int32_t dataSize = AParcel_getDataSize(parcel);
		// b/264739302 - getDataSize will return dataPos if it is greater than dataSize
		// which will cause crashes in memcpy at later point. Instead compare with
		// actual length of internal buffer
		int32_t dataSize = parcel->get()->dataBufferSize();
		if (len > static_cast<size_t>(dataSize) \|\| start > static_cast<size_t>(dataSize) - len) {
		return STATUS_BAD_VALUE;
		}