From c6b0dfa3358a152c9bfd1fc479753c6ba32b78eb Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 5 Mar 2024 09:10:02 +0000
Subject: Parcel: free objects before realloc

Otherwise this would try to free the objects
which have been written over in mData.

Bug: 328177618
Test: with fuzzer
Change-Id: I8929d11e3c1c193a1c36e95371b5e96e24d47ece
---
 libs/binder/Parcel.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libs/binder/Parcel.cpp')

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index c1770b35d1..4d1463ca09 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2930,14 +2930,14 @@ status_t Parcel::restartWrite(size_t desired)
         return continueWrite(desired);
     }
 
+    releaseObjects();
+
     uint8_t* data = reallocZeroFree(mData, mDataCapacity, desired, mDeallocZero);
     if (!data && desired > mDataCapacity) {
         mError = NO_MEMORY;
         return NO_MEMORY;
     }
 
-    releaseObjects();
-
     if (data || desired == 0) {
         LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
         if (mDataCapacity > desired) {
-- 
cgit v1.2.3-59-g8ed1b


From 47d7f1e33892bd7075143e7c66ce33d1c2c16357 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 8 Mar 2024 23:43:21 +0000
Subject: libbinder: restartWrite abort out of memory

Most code in Android and indeed in libbinder will
abort in this case. Since setData is underspecified,
we should probably start the process of removing all
the users of it (AIDL does not use it). However,
until it can be removed, it's safer to abort here
than risk mObjects is referenced in an invalid state
from here on.

Bug: 328177618
Test: N/A
Change-Id: Ia36303e1f9bdc91d37943aa106bd832166b91e28
---
 libs/binder/Parcel.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libs/binder/Parcel.cpp')

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index c1770b35d1..2a3ab7446a 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2932,6 +2932,7 @@ status_t Parcel::restartWrite(size_t desired)
 
     uint8_t* data = reallocZeroFree(mData, mDataCapacity, desired, mDeallocZero);
     if (!data && desired > mDataCapacity) {
+        LOG_ALWAYS_FATAL("out of memory");
         mError = NO_MEMORY;
         return NO_MEMORY;
     }
-- 
cgit v1.2.3-59-g8ed1b