diff options
| author | Kenny Root <kroot@google.com> | 2014-03-17 21:28:33 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2014-03-17 21:28:33 +0000 |
| commit | 9ff2aad010f77a7f095d2802587775a59ed2384a (patch) | |
| tree | 55e8116766ba13033985d32fd180ad628846e897 /libs/binder | |
| parent | 446ef4bae2605f4d4ef83c57803a9f8c2e901f8e (diff) | |
| parent | 5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d (diff) | |
| download | frameworks_native-9ff2aad010f77a7f095d2802587775a59ed2384a.zip frameworks_native-9ff2aad010f77a7f095d2802587775a59ed2384a.tar.gz frameworks_native-9ff2aad010f77a7f095d2802587775a59ed2384a.tar.bz2 | |
am 5b61ad2c: Check the padded size of the read byte array
* commit '5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d':
Check the padded size of the read byte array
Diffstat (limited to 'libs/binder')
| -rw-r--r-- | libs/binder/Parcel.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 48d57dc..4371c23 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -917,7 +917,8 @@ void Parcel::remove(size_t /*start*/, size_t /*amt*/) status_t Parcel::read(void* outData, size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { memcpy(outData, mData+mDataPos, len); mDataPos += PAD_SIZE(len); ALOGV("read Setting data pos of %p to %d\n", this, mDataPos); @@ -928,7 +929,8 @@ status_t Parcel::read(void* outData, size_t len) const const void* Parcel::readInplace(size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { const void* data = mData+mDataPos; mDataPos += PAD_SIZE(len); ALOGV("readInplace Setting data pos of %p to %d\n", this, mDataPos); |