Update Parcel readLazyValue to ignore negative object lengths - platform/frameworks/base

diff options

author	Hani Kazmi <hanikazmi@google.com>	2022-09-27 10:19:45 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-10-08 00:10:19 +0000
commit	569c3023f839bca077cd3cccef0a3bef9c31af63 (patch)
tree	b3ce1611ed2d9b0ef06ff239da4dbdab415837d8 /libs/androidfw/ApkParsing.cpp
parent	1e41d33566f84f624f6a755e4493432d5bd82915 (diff)

Update Parcel readLazyValue to ignore negative object lengths

Addresses a security vulnerability where a (-8) length object would cause dataPosition to be reset back to the statt of the value, and be re-read again. Bug: 240138294 Test: atest ParcelTest BundleTest AmbiguousBundlesTest Test: manually ran PoC Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 (cherry picked from commit 8e01230dd264d652c6f4c82d850da5afc4768bdc) Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4

Diffstat (limited to 'libs/androidfw/ApkParsing.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: