From 80b9d69d7313dfb085265988f1296079a59e7759 Mon Sep 17 00:00:00 2001
From: Michael Wachenschwanz <mwachens@google.com>
Date: Fri, 24 Aug 2018 21:50:35 -0700
Subject: Verify number of Map entries written to Parcel

Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.

Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Fixes: 112859604
Test: atest android.os.cts.ParcelTest
---
 core/java/android/os/Parcel.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
index 7e7666adfeed..cc6bb12a0894 100644
--- a/core/java/android/os/Parcel.java
+++ b/core/java/android/os/Parcel.java
@@ -846,11 +846,19 @@ public final class Parcel {
             return;
         }
         Set<Map.Entry<String,Object>> entries = val.entrySet();
-        writeInt(entries.size());
+        int size = entries.size();
+        writeInt(size);
+
         for (Map.Entry<String,Object> e : entries) {
             writeValue(e.getKey());
             writeValue(e.getValue());
+            size--;
         }
+
+        if (size != 0) {
+            throw new BadParcelableException("Map size does not match number of entries!");
+        }
+
     }
 
     /**
-- 
cgit v1.2.3-59-g8ed1b