1 files changed, 22 insertions, 6 deletions

diff --git a/services/companion/java/com/android/server/companion/BackupRestoreProcessor.java b/services/companion/java/com/android/server/companion/BackupRestoreProcessor.java
index 5e52e06248cb..82e9a26310e8 100644
--- a/services/companion/java/com/android/server/companion/BackupRestoreProcessor.java
+++ b/services/companion/java/com/android/server/companion/BackupRestoreProcessor.java
@@ -111,6 +111,11 @@ class BackupRestoreProcessor {
         Slog.i(TAG, "applyRestoredPayload() userId=[" + userId + "], payload size=["
                 + payload.length + "].");
 
+        if (payload.length == 0) {
+            Slog.i(TAG, "CDM backup payload was empty.");
+            return;
+        }
+
         ByteBuffer buffer = ByteBuffer.wrap(payload);
 
         // Make sure that payload version matches current version to ensure proper deserialization
@@ -120,15 +125,26 @@ class BackupRestoreProcessor {
             return;
         }
 
-        // Read the bytes containing backed-up associations
-        byte[] associationsPayload = new byte[buffer.getInt()];
-        buffer.get(associationsPayload);
+        // Pre-load the bytes into memory before processing them to ensure payload mal-formatting
+        // error is caught early on.
+        final byte[] associationsPayload;
+        final byte[] requestsPayload;
+        try {
+            // Read the bytes containing backed-up associations
+            associationsPayload = new byte[buffer.getInt()];
+            buffer.get(associationsPayload);
+
+            // Read the bytes containing backed-up system data transfer requests user consent
+            requestsPayload = new byte[buffer.getInt()];
+            buffer.get(requestsPayload);
+        } catch (Exception bufferException) {
+            Slog.e(TAG, "CDM backup payload was mal-formatted.", bufferException);
+            return;
+        }
+
         final Associations restoredAssociations = readAssociationsFromPayload(
                 associationsPayload, userId);
 
-        // Read the bytes containing backed-up system data transfer requests user consent
-        byte[] requestsPayload = new byte[buffer.getInt()];
-        buffer.get(requestsPayload);
         List<SystemDataTransferRequest> restoredRequestsForUser =
                 mSystemDataTransferRequestStore.readRequestsFromPayload(requestsPayload, userId);