Merge "Fix offset check in Parcel::hasFileDescriptorsInRange()" am: bc584178da am: 41952d83fd am: 055f45264b am: f809408176 am: 69e6689420

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/1859393 Change-Id: Ia08d3ae421760c17ba1f39ce2ae43e3b22abf4c0
author: Bernardo Rufino <brufino@google.com> 2021-10-21 11:33:18 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2021-10-21 11:33:18 +0000
commit: 03ea1e4b9c2d3c97a8f912c374e702b31a7777cb (patch)
tree: 537f8bfb6f76bcdca446274486429987334874fc /libs/binder/Parcel.cpp
parent: 4746c855fb82bda50ca5c4cccbcd84f264f0b4a4 (diff)
parent: 69e66894203b5f8b5750469553c2269ccb477a9b (diff)
1 files changed, 10 insertions, 13 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 805e5768bc..181f4051b7 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -548,21 +548,17 @@ bool Parcel::hasFileDescriptors() const
     return mHasFds;
 }
 
-status_t Parcel::hasFileDescriptorsInRange(size_t offset, size_t len, bool& result) const {
+status_t Parcel::hasFileDescriptorsInRange(size_t offset, size_t len, bool* result) const {
     if (len > INT32_MAX || offset > INT32_MAX) {
         // Don't accept size_t values which may have come from an inadvertent conversion from a
         // negative int.
         return BAD_VALUE;
     }
-    size_t limit = offset + len;
-    if (offset > mDataSize || len > mDataSize || limit > mDataSize || offset > limit) {
+    size_t limit;
+    if (__builtin_add_overflow(offset, len, &limit) || limit > mDataSize) {
         return BAD_VALUE;
     }
-    result = hasFileDescriptorsInRangeUnchecked(offset, len);
-    return NO_ERROR;
-}
-
-bool Parcel::hasFileDescriptorsInRangeUnchecked(size_t offset, size_t len) const {
+    *result = false;
     for (size_t i = 0; i < mObjectsSize; i++) {
         size_t pos = mObjects[i];
         if (pos < offset) continue;
@@ -572,10 +568,11 @@ bool Parcel::hasFileDescriptorsInRangeUnchecked(size_t offset, size_t len) const
         }
         const flat_binder_object* flat = reinterpret_cast<const flat_binder_object*>(mData + pos);
         if (flat->hdr.type == BINDER_TYPE_FD) {
-            return true;
+            *result = true;
+            break;
         }
     }
-    return false;
+    return NO_ERROR;
 }
 
 void Parcel::markSensitive() const
@@ -2568,9 +2565,9 @@ void Parcel::initState()
     }
 }
 
-void Parcel::scanForFds() const
-{
-    mHasFds = hasFileDescriptorsInRangeUnchecked(0, dataSize());
+void Parcel::scanForFds() const {
+    status_t status = hasFileDescriptorsInRange(0, dataSize(), &mHasFds);
+    ALOGE_IF(status != NO_ERROR, "Error %d calling hasFileDescriptorsInRange()", status);
     mFdsKnown = true;
 }
author	Bernardo Rufino <brufino@google.com>	2021-10-21 11:33:18 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2021-10-21 11:33:18 +0000
commit	03ea1e4b9c2d3c97a8f912c374e702b31a7777cb (patch)
tree	537f8bfb6f76bcdca446274486429987334874fc /libs/binder/Parcel.cpp
parent	4746c855fb82bda50ca5c4cccbcd84f264f0b4a4 (diff)
parent	69e66894203b5f8b5750469553c2269ccb477a9b (diff)