Disregard alleged binder entities beyond parcel bounds

When appending one parcel's contents to another, ignore binder objects within the source Parcel that appear to lie beyond the formal bounds of that Parcel's data buffer. Bug 17312693 Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
author: Christopher Tate <ctate@google.com> 2015-05-27 17:53:02 -0700
committer: Christopher Tate <ctate@google.com> 2015-05-27 19:20:15 -0700
commit: 27182be9f20f4f5b48316666429f09b9ecc1f22e (patch)
tree: 238a998e14324f5ad2c1b975074c2fe46ab9f5d5 /libs/binder/Parcel.cpp
parent: 7fc3ef0eb0077eedaa09a7b505b6ec067e814170 (diff)
download: frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.zip
frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.tar.gz
frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 015866b..c1cfb1e 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -451,7 +451,7 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len)
     // Count objects in range
     for (int i = 0; i < (int) size; i++) {
         size_t off = objects[i];
-        if ((off >= offset) && (off < offset + len)) {
+        if ((off >= offset) && (off + sizeof(flat_binder_object) <= offset + len)) {
             if (firstIndex == -1) {
                 firstIndex = i;
             }
author	Christopher Tate <ctate@google.com>	2015-05-27 17:53:02 -0700
committer	Christopher Tate <ctate@google.com>	2015-05-27 19:20:15 -0700
commit	27182be9f20f4f5b48316666429f09b9ecc1f22e (patch)
tree	238a998e14324f5ad2c1b975074c2fe46ab9f5d5 /libs/binder/Parcel.cpp
parent	7fc3ef0eb0077eedaa09a7b505b6ec067e814170 (diff)
download	frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.zip frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.tar.gz frameworks_native-27182be9f20f4f5b48316666429f09b9ecc1f22e.tar.bz2