From 0db4fced4d2c8325c93f61ac4ab385b47e041f23 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Wed, 2 Oct 2024 01:00:23 +0000
Subject: libbinder: Parcel: grow rejects large data pos

This is unexpected behavior so throw an error.
Allocating this much memory may cause OOM or
other issues.

Bug: 370831157
Test: fuzzer
Merged-In: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
Change-Id: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
(cherry picked from commit 608524d462278c2c9f6716cd94f126c85e9f2e91)
---
 libs/binder/Parcel.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'libs/binder/Parcel.cpp')

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 617708f3d4..abdd4875af 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -2253,6 +2253,14 @@ status_t Parcel::growData(size_t len)
         return BAD_VALUE;
     }
 
+    if (mDataPos > mDataSize) {
+        // b/370831157 - this case used to abort. We also don't expect mDataPos < mDataSize, but
+        // this would only waste a bit of memory, so it's okay.
+        ALOGE("growData only expected at the end of a Parcel. pos: %zu, size: %zu, capacity: %zu",
+              mDataPos, len, mDataCapacity);
+        return BAD_VALUE;
+    }
+
     if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
     if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
     size_t newSize = ((mDataSize+len)*3)/2;
-- 
cgit v1.2.3-59-g8ed1b