From 4a0a55e0b68e34f411e436b19e3997a81078cdeb Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Thu, 4 Jun 2020 13:23:10 -0700
Subject: Update parcel data pointer after realloc with size 0

If restartWrite is called with desired size of 0, mData will be
reallocated to size 0. This frees the memory and returns a null pointer.
When this happends we need to update the stored data pointer and
capacity otherwise we will crash with a double free when the object is
desctructed.

Bug: 157066561
Test: build POC included in bug. 'adb push binderMemSafety
/data/local/tmp && adb shell /data/local/tmp/binderMemSafety'. Reproduce
the crash without this change, then verify no crash with this change.
This is also being added to STS.
Ran 'atest -p' for binder tests.

Change-Id: I494e954204ee4a312739ae8600e2cf545ea452e3
---
 libs/binder/Parcel.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libs/binder/Parcel.cpp')

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 9642a87f4e..598fecef5d 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2460,7 +2460,7 @@ status_t Parcel::restartWrite(size_t desired)
 
     releaseObjects();
 
-    if (data) {
+    if (data || desired == 0) {
         LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
         pthread_mutex_lock(&gParcelGlobalAllocSizeLock);
         gParcelGlobalAllocSize += desired;
-- 
cgit v1.2.3-59-g8ed1b