[RESTRICT AUTOMERGE] libbinder: Status: check dataPosition sets.

am: 00d4358fcd Change-Id: I2850cd2451db1457e742e1d2c81817e23275fb3b
author: Steven Moreland <smoreland@google.com> 2019-06-05 09:57:23 -0700
committer: android-build-merger <android-build-merger@google.com> 2019-06-05 09:57:23 -0700
commit: f983d92cbb6b374a1842d629584e8f9dfeaf8325 (patch)
tree: 1e9fe5df64e19c31067a781b06f83f2aea8c96c4
parent: a9d88cd6082463a3d06ff55ee57ff0fdb3649530 (diff)
parent: 00d4358fcd2875b1e26ac50d620f2dec439ef3ee (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/libs/binder/Status.cpp b/libs/binder/Status.cpp
index 006f7f94e9..8b9dee8628 100644
--- a/libs/binder/Status.cpp
+++ b/libs/binder/Status.cpp
@@ -76,13 +76,23 @@ status_t Status::readFromParcel(const Parcel& parcel) {
     // Skip over fat response headers.  Not used (or propagated) in native code.
     if (mException == EX_HAS_REPLY_HEADER) {
         // Note that the header size includes the 4 byte size field.
-        const int32_t header_start = parcel.dataPosition();
+        const size_t header_start = parcel.dataPosition();
+        // Get available size before reading more
+        const size_t header_avail = parcel.dataAvail();
+
         int32_t header_size;
         status = parcel.readInt32(&header_size);
         if (status != OK) {
             setFromStatusT(status);
             return status;
         }
+
+        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+            android_errorWriteLog(0x534e4554, "132650049");
+            setFromStatusT(UNKNOWN_ERROR);
+            return UNKNOWN_ERROR;
+        }
+
         parcel.setDataPosition(header_start + header_size);
         // And fat response headers are currently only used when there are no
         // exceptions, so act like there was no error.
@@ -106,13 +116,23 @@ status_t Status::readFromParcel(const Parcel& parcel) {
         status = parcel.readInt32(&mErrorCode);
     } else if (mException == EX_PARCELABLE) {
         // Skip over the blob of Parcelable data
-        const int32_t header_start = parcel.dataPosition();
+        const size_t header_start = parcel.dataPosition();
+        // Get available size before reading more
+        const size_t header_avail = parcel.dataAvail();
+
         int32_t header_size;
         status = parcel.readInt32(&header_size);
         if (status != OK) {
             setFromStatusT(status);
             return status;
         }
+
+        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+            android_errorWriteLog(0x534e4554, "132650049");
+            setFromStatusT(UNKNOWN_ERROR);
+            return UNKNOWN_ERROR;
+        }
+
         parcel.setDataPosition(header_start + header_size);
     }
     if (status != OK) {
author	Steven Moreland <smoreland@google.com>	2019-06-05 09:57:23 -0700
committer	android-build-merger <android-build-merger@google.com>	2019-06-05 09:57:23 -0700
commit	f983d92cbb6b374a1842d629584e8f9dfeaf8325 (patch)
tree	1e9fe5df64e19c31067a781b06f83f2aea8c96c4
parent	a9d88cd6082463a3d06ff55ee57ff0fdb3649530 (diff)
parent	00d4358fcd2875b1e26ac50d620f2dec439ef3ee (diff)