diff options
| -rw-r--r-- | libs/binder/Parcel.cpp | 4 | ||||
| -rw-r--r-- | libs/binder/tests/binderParcelTest.cpp | 34 |
2 files changed, 36 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index b1b2aa02a7..037707559e 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -2056,7 +2056,7 @@ const char* Parcel::readString8Inplace(size_t* outLen) const if (size >= 0 && size < INT32_MAX) { *outLen = size; const char* str = (const char*)readInplace(size+1); - if (str != nullptr) { + if (str != nullptr && str[size] == '\0') { return str; } } @@ -2139,7 +2139,7 @@ const char16_t* Parcel::readString16Inplace(size_t* outLen) const if (size >= 0 && size < INT32_MAX) { *outLen = size; const char16_t* str = (const char16_t*)readInplace((size+1)*sizeof(char16_t)); - if (str != nullptr) { + if (str != nullptr && str[size] == u'\0') { return str; } } diff --git a/libs/binder/tests/binderParcelTest.cpp b/libs/binder/tests/binderParcelTest.cpp index 17642281c3..841d47b264 100644 --- a/libs/binder/tests/binderParcelTest.cpp +++ b/libs/binder/tests/binderParcelTest.cpp @@ -25,6 +25,40 @@ using android::String16; using android::String8; using android::status_t; +TEST(Parcel, NonNullTerminatedString8) { + String8 kTestString = String8("test-is-good"); + + // write non-null terminated string + Parcel p; + p.writeString8(kTestString); + p.setDataPosition(0); + // BAD! assumption of wire format for test + // write over length of string + p.writeInt32(kTestString.size() - 2); + + p.setDataPosition(0); + String8 output; + EXPECT_NE(OK, p.readString8(&output)); + EXPECT_EQ(output.size(), 0); +} + +TEST(Parcel, NonNullTerminatedString16) { + String16 kTestString = String16("test-is-good"); + + // write non-null terminated string + Parcel p; + p.writeString16(kTestString); + p.setDataPosition(0); + // BAD! assumption of wire format for test + // write over length of string + p.writeInt32(kTestString.size() - 2); + + p.setDataPosition(0); + String16 output; + EXPECT_NE(OK, p.readString16(&output)); + EXPECT_EQ(output.size(), 0); +} + // Tests a second operation results in a parcel at the same location as it // started. void parcelOpSameLength(const std::function<void(Parcel*)>& a, const std::function<void(Parcel*)>& b) { |