diff options
| author | Kenny Root <kroot@google.com> | 2014-03-17 13:18:16 -0700 |
|---|---|---|
| committer | Kenny Root <kroot@google.com> | 2014-03-17 13:18:16 -0700 |
| commit | 5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d (patch) | |
| tree | f7e3eda19a658f21028269cd969c0ee347e34db8 | |
| parent | f0190bff38b6c29abbfc4a877442f71fc3d7dad8 (diff) | |
| download | android_frameworks_native-5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d.tar.gz android_frameworks_native-5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d.tar.bz2 android_frameworks_native-5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d.zip | |
Check the padded size of the read byte array
Bug: 13509200
Change-Id: Id93894fcc617ec1cd4ce66921c6e1f1c3cf40b09
| -rw-r--r-- | libs/binder/Parcel.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 17ffa05d9..db9e0a1e2 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -908,7 +908,8 @@ void Parcel::remove(size_t start, size_t amt) status_t Parcel::read(void* outData, size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { memcpy(outData, mData+mDataPos, len); mDataPos += PAD_SIZE(len); ALOGV("read Setting data pos of %p to %d\n", this, mDataPos); @@ -919,7 +920,8 @@ status_t Parcel::read(void* outData, size_t len) const const void* Parcel::readInplace(size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { const void* data = mData+mDataPos; mDataPos += PAD_SIZE(len); ALOGV("readInplace Setting data pos of %p to %d\n", this, mDataPos); |