Update Parcel readLazyValue to ignore negative object lengths - platform/frameworks/base

diff options

author	Hani Kazmi <hanikazmi@google.com>	2022-09-27 10:19:45 +0000
committer	Hani Kazmi <hanikazmi@google.com>	2022-10-04 17:32:07 +0000
commit	8e01230dd264d652c6f4c82d850da5afc4768bdc (patch)
tree	0ee2d7dcec0fff130a9140ca142ce34f9891ff3a /libs/androidfw/StringPool.cpp
parent	2c130a95c6cc73214c00668c8f55eae7ddcda697 (diff)

Update Parcel readLazyValue to ignore negative object lengths

Addresses a security vulnerability where a (-8) length object would cause dataPosition to be reset back to the statt of the value, and be re-read again. Bug: 240138294 Test: atest ParcelTest BundleTest AmbiguousBundlesTest Test: manually ran PoC Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4

Diffstat (limited to 'libs/androidfw/StringPool.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: