diff options
| author | 2023-01-24 15:44:28 +0000 | |
|---|---|---|
| committer | 2023-01-24 15:44:28 +0000 | |
| commit | 2962439d9f54fc3b64a671a68134a74d1a343d04 (patch) | |
| tree | 5bbfb1d03f3bcf6606659475acccb9e5e587ad76 | |
| parent | 6941783267f4db8739e16dcb434908bfc48e8c53 (diff) | |
| parent | c7a3e7567986b431a2d5ab356327ecc971e244b7 (diff) | |
Merge "Check for data buffer size while marshalling parcel" am: c7a3e75679
Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2398097
Change-Id: Ifffe7c1a94b6a86b30b5d3baa8a8c603a43ec5e0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | libs/binder/Parcel.cpp | 4 | ||||
| -rw-r--r-- | libs/binder/include/binder/Parcel.h | 1 | ||||
| -rw-r--r-- | libs/binder/ndk/parcel.cpp | 5 |
3 files changed, 9 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 44ff62bf26..0aca163eab 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -375,6 +375,10 @@ size_t Parcel::dataSize() const return (mDataSize > mDataPos ? mDataSize : mDataPos); } +size_t Parcel::dataBufferSize() const { + return mDataSize; +} + size_t Parcel::dataAvail() const { size_t result = dataSize() - dataPosition(); diff --git a/libs/binder/include/binder/Parcel.h b/libs/binder/include/binder/Parcel.h index f730acb9f8..162cd406dc 100644 --- a/libs/binder/include/binder/Parcel.h +++ b/libs/binder/include/binder/Parcel.h @@ -75,6 +75,7 @@ public: size_t dataAvail() const; size_t dataPosition() const; size_t dataCapacity() const; + size_t dataBufferSize() const; status_t setDataSize(size_t size); diff --git a/libs/binder/ndk/parcel.cpp b/libs/binder/ndk/parcel.cpp index 94f72d96f6..b5a2e2ff0b 100644 --- a/libs/binder/ndk/parcel.cpp +++ b/libs/binder/ndk/parcel.cpp @@ -695,7 +695,10 @@ binder_status_t AParcel_marshal(const AParcel* parcel, uint8_t* buffer, size_t s if (parcel->get()->objectsCount()) { return STATUS_INVALID_OPERATION; } - int32_t dataSize = AParcel_getDataSize(parcel); + // b/264739302 - getDataSize will return dataPos if it is greater than dataSize + // which will cause crashes in memcpy at later point. Instead compare with + // actual length of internal buffer + int32_t dataSize = parcel->get()->dataBufferSize(); if (len > static_cast<size_t>(dataSize) || start > static_cast<size_t>(dataSize) - len) { return STATUS_BAD_VALUE; } |