From 65a8f07e57a492289798ca709a311650b5bd5af1 Mon Sep 17 00:00:00 2001
From: Casey Dahlin <sadmac@google.com>
Date: Wed, 26 Oct 2016 17:18:25 -0700
Subject: Fix integer overflow in unsafeReadTypedVector

Passing a size to std::vector that is too big causes it to silently
under-allocate when exceptions are disabled, leaving us open to an OOB
write. We check the bounds and the resulting size now to verify
allocation succeeds.

Test: Verified reproducer attached to bug no longer crashes Camera
      service.
Bug: 31677614

Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7
---
 include/binder/Parcel.h | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'include/binder')

diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 1c355c4689..2490b82bb2 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h
@@ -589,8 +589,16 @@ status_t Parcel::unsafeReadTypedVector(
         return UNEXPECTED_NULL;
     }
 
+    if (val->max_size() < size) {
+        return NO_MEMORY;
+    }
+
     val->resize(size);
 
+    if (val->size() < size) {
+        return NO_MEMORY;
+    }
+
     for (auto& v: *val) {
         status = (this->*read_func)(&v);
 
-- 
cgit v1.2.3-59-g8ed1b