Update Parcel readLazyValue to ignore negative object lengths - platform/frameworks/base

diff options

author	Hani Kazmi <hanikazmi@google.com>	2022-09-27 10:19:45 +0000
committer	Hani Kazmi <hanikazmi@google.com>	2022-10-04 17:32:27 +0000
commit	34683275498914ece5ee9435846b7b429ccfc964 (patch)
tree	89265e3c792fd2e69ef5db537d6019c452e35192 /libs/androidfw/StringPool.cpp
parent	e7ef7b04b830bf52f9ddb945e33b268eeb1fe5b9 (diff)

Update Parcel readLazyValue to ignore negative object lengths

Addresses a security vulnerability where a (-8) length object would cause dataPosition to be reset back to the statt of the value, and be re-read again. Bug: 240138294 Test: atest ParcelTest BundleTest AmbiguousBundlesTest Test: manually ran PoC Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4

Diffstat (limited to 'libs/androidfw/StringPool.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: