From 34683275498914ece5ee9435846b7b429ccfc964 Mon Sep 17 00:00:00 2001
From: Hani Kazmi <hanikazmi@google.com>
Date: Tue, 27 Sep 2022 10:19:45 +0000
Subject: Update Parcel readLazyValue to ignore negative object lengths

Addresses a security vulnerability where a (-8) length object would
cause dataPosition to be reset back to the statt of the value, and be
re-read again.

Bug: 240138294
Test: atest ParcelTest BundleTest AmbiguousBundlesTest
Test: manually ran PoC
Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4
Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4
---
 core/java/android/os/Parcel.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
index 3d701389a98e..a7349f9e473e 100644
--- a/core/java/android/os/Parcel.java
+++ b/core/java/android/os/Parcel.java
@@ -4388,6 +4388,9 @@ public final class Parcel {
         int type = readInt();
         if (isLengthPrefixed(type)) {
             int objectLength = readInt();
+            if (objectLength < 0) {
+                return null;
+            }
             int end = MathUtils.addOrThrow(dataPosition(), objectLength);
             int valueLength = end - start;
             setDataPosition(end);
-- 
cgit v1.2.3-59-g8ed1b