diff options
author | Kenny Root <kroot@google.com> | 2014-03-17 21:31:04 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-03-17 21:31:04 +0000 |
commit | ca609e4300d88ad1e815581ebc6a478b446d3882 (patch) | |
tree | 088945dc67dd9d6fdd579f1bc1dc037dd5cf2dda /libs/binder/Parcel.cpp | |
parent | 80acb20ca95da161fc739abac0fb9084a76e2ced (diff) | |
parent | 38e2aaaa3dd62a20eb211808ae6fe45ec37ee6d5 (diff) | |
download | frameworks_native-ca609e4300d88ad1e815581ebc6a478b446d3882.zip frameworks_native-ca609e4300d88ad1e815581ebc6a478b446d3882.tar.gz frameworks_native-ca609e4300d88ad1e815581ebc6a478b446d3882.tar.bz2 |
am 38e2aaaa: am 5b61ad2c: Check the padded size of the read byte array
* commit '38e2aaaa3dd62a20eb211808ae6fe45ec37ee6d5':
Check the padded size of the read byte array
Diffstat (limited to 'libs/binder/Parcel.cpp')
-rw-r--r-- | libs/binder/Parcel.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 296cd5c..67cb428 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -917,7 +917,8 @@ void Parcel::remove(size_t /*start*/, size_t /*amt*/) status_t Parcel::read(void* outData, size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { memcpy(outData, mData+mDataPos, len); mDataPos += PAD_SIZE(len); ALOGV("read Setting data pos of %p to %d\n", this, mDataPos); @@ -928,7 +929,8 @@ status_t Parcel::read(void* outData, size_t len) const const void* Parcel::readInplace(size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { const void* data = mData+mDataPos; mDataPos += PAD_SIZE(len); ALOGV("readInplace Setting data pos of %p to %d\n", this, mDataPos); |