Check mDataPos to see if the Parcel needs to grow

Flag: EXEMPT bug fix Ignore-AOSP-First: security fix Test: atest binderUnitTest Bug: 399155883 Change-Id: I38b755ca3381cfca3300292873f763823fbf169b
author: Devin Moore <devinmoore@google.com> 2025-03-12 19:35:53 +0000
committer: Devin Moore <devinmoore@google.com> 2025-03-19 21:30:35 +0000
commit: 611b730bade54a0a79dbcc3087d9393086e6dbdf (patch)
tree: 1342bd6bef5a470a6796edecac33ee6cc1d0455f
parent: d0503fa4db892711445b44302d36968a88a469a8 (diff)
2 files changed, 12 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 777c22a63e..2c37624304 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -542,7 +542,7 @@ status_t Parcel::appendFrom(const Parcel* parcel, size_t offset, size_t len) {
         return BAD_VALUE;
     }
 
-    if ((mDataSize+len) > mDataCapacity) {
+    if ((mDataPos + len) > mDataCapacity) {
         // grow data
         err = growData(len);
         if (err != NO_ERROR) {
diff --git a/libs/binder/tests/binderParcelUnitTest.cpp b/libs/binder/tests/binderParcelUnitTest.cpp
index 6259d9d2d2..a71da3f384 100644
--- a/libs/binder/tests/binderParcelUnitTest.cpp
+++ b/libs/binder/tests/binderParcelUnitTest.cpp
@@ -197,6 +197,17 @@ TEST(Parcel, AppendPlainDataPartial) {
     ASSERT_EQ(2, p2.readInt32());
 }
 
+TEST(Parcel, AppendWithBadDataPos) {
+    Parcel p1;
+    p1.writeInt32(1);
+    p1.writeInt32(1);
+    Parcel p2;
+    p2.setDataCapacity(8);
+    p2.setDataPosition(10000);
+
+    EXPECT_EQ(android::BAD_VALUE, p2.appendFrom(&p1, 0, 8));
+}
+
 TEST(Parcel, HasBinders) {
     sp<IBinder> b1 = sp<BBinder>::make();
author	Devin Moore <devinmoore@google.com>	2025-03-12 19:35:53 +0000
committer	Devin Moore <devinmoore@google.com>	2025-03-19 21:30:35 +0000
commit	611b730bade54a0a79dbcc3087d9393086e6dbdf (patch)
tree	1342bd6bef5a470a6796edecac33ee6cc1d0455f
parent	d0503fa4db892711445b44302d36968a88a469a8 (diff)