DO NOT MERGE - Merge pie-platform-release (PPRL.190801.002) into master

Bug: 139369544 Change-Id: I24c88d4bc056d8440d6de94488fb3d7fd6ad5200
author: Xin Li <delphij@google.com> 2019-08-13 16:36:38 -0700
committer: Xin Li <delphij@google.com> 2019-08-13 16:36:38 -0700
commit: 47fba7fba0b814246195167df01e745faba68dc6 (patch)
tree: 14df99cbf7e65bb0827a12040c017cd7d2776292 /libs/binder/Status.cpp
parent: e3aff37dc7e02cd2104767dac8f115ec1bfd3cd4 (diff)
parent: 40b476c5790168a9bad2d7b5459883c07d25cc35 (diff)
1 files changed, 29 insertions, 2 deletions
diff --git a/libs/binder/Status.cpp b/libs/binder/Status.cpp
index 8b33a56484..0ad99cee3f 100644
--- a/libs/binder/Status.cpp
+++ b/libs/binder/Status.cpp
@@ -102,13 +102,23 @@ status_t Status::readFromParcel(const Parcel& parcel) {
     // Skip over fat response headers.  Not used (or propagated) in native code.
     if (mException == EX_HAS_REPLY_HEADER) {
         // Note that the header size includes the 4 byte size field.
-        const int32_t header_start = parcel.dataPosition();
+        const size_t header_start = parcel.dataPosition();
+        // Get available size before reading more
+        const size_t header_avail = parcel.dataAvail();
+
         int32_t header_size;
         status = parcel.readInt32(&header_size);
         if (status != OK) {
             setFromStatusT(status);
             return status;
         }
+
+        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+            android_errorWriteLog(0x534e4554, "132650049");
+            setFromStatusT(UNKNOWN_ERROR);
+            return UNKNOWN_ERROR;
+        }
+
         parcel.setDataPosition(header_start + header_size);
         // And fat response headers are currently only used when there are no
         // exceptions, so act like there was no error.
@@ -135,19 +145,36 @@ status_t Status::readFromParcel(const Parcel& parcel) {
         setFromStatusT(status);
         return status;
     }
+    if (remote_stack_trace_header_size < 0 ||
+        static_cast<size_t>(remote_stack_trace_header_size) > parcel.dataAvail()) {
+
+        android_errorWriteLog(0x534e4554, "132650049");
+        setFromStatusT(UNKNOWN_ERROR);
+        return UNKNOWN_ERROR;
+    }
     parcel.setDataPosition(parcel.dataPosition() + remote_stack_trace_header_size);
 
     if (mException == EX_SERVICE_SPECIFIC) {
         status = parcel.readInt32(&mErrorCode);
     } else if (mException == EX_PARCELABLE) {
         // Skip over the blob of Parcelable data
-        const int32_t header_start = parcel.dataPosition();
+        const size_t header_start = parcel.dataPosition();
+        // Get available size before reading more
+        const size_t header_avail = parcel.dataAvail();
+
         int32_t header_size;
         status = parcel.readInt32(&header_size);
         if (status != OK) {
             setFromStatusT(status);
             return status;
         }
+
+        if (header_size < 0 || static_cast<size_t>(header_size) > header_avail) {
+            android_errorWriteLog(0x534e4554, "132650049");
+            setFromStatusT(UNKNOWN_ERROR);
+            return UNKNOWN_ERROR;
+        }
+
         parcel.setDataPosition(header_start + header_size);
     }
     if (status != OK) {
author	Xin Li <delphij@google.com>	2019-08-13 16:36:38 -0700
committer	Xin Li <delphij@google.com>	2019-08-13 16:36:38 -0700
commit	47fba7fba0b814246195167df01e745faba68dc6 (patch)
tree	14df99cbf7e65bb0827a12040c017cd7d2776292 /libs/binder/Status.cpp
parent	e3aff37dc7e02cd2104767dac8f115ec1bfd3cd4 (diff)
parent	40b476c5790168a9bad2d7b5459883c07d25cc35 (diff)