diff options
| author | Martijn Coenen <maco@google.com> | 2018-04-04 11:46:56 +0200 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-07-17 07:17:21 +0200 |
| commit | 83c57ea772378fb68f1b882e0479ec9978bd3988 (patch) | |
| tree | 1889fb2ca7d026e9df29d285c51a586da582c518 | |
| parent | 25acebb65f422a6644b99c99d5caced780c73e76 (diff) | |
| download | android_frameworks_native-83c57ea772378fb68f1b882e0479ec9978bd3988.tar.gz android_frameworks_native-83c57ea772378fb68f1b882e0479ec9978bd3988.tar.bz2 android_frameworks_native-83c57ea772378fb68f1b882e0479ec9978bd3988.zip | |
Don't pad before calling writeInPlace().
writeInplace() itself already pads securely, by masking off
the padded bytes. If the padding is done before calling
writeInplace(), no mask is applied, and heap data can leak.
Bug: 77237570
Test: builds
Change-Id: Ide27a0002d4ed4196530430760245b971f6a3f44
Merged-In: Ide27a0002d4ed4196530430760245b971f6a3f44
(cherry picked from commit f8542381b72a7bb2452a5278a00ca8c34edbf8a0)
(cherry picked from commit 732132b765cd7b667f16cf32f0fe4c852d7d44dd)
Change-Id: Id65e4573e18ab68b804f1cf63a6977a71da01e5d
| -rw-r--r-- | libs/binder/Parcel.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index c383a2d6e..189ae18ba 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -834,7 +834,7 @@ status_t Parcel::write(const FlattenableHelperInterface& val) if (err) return err; // payload - void* const buf = this->writeInplace(PAD_SIZE(len)); + void* const buf = this->writeInplace(len); if (buf == NULL) return BAD_VALUE; |