From 54cb02ad733fb71b1bdf78590428817fb780aff8 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 26 Apr 2016 08:44:09 -0700
Subject: Correctly handle dup() failure in Parcel::readNativeHandle

bail out if dup() fails, instead of creating an invalid native_handle_t

Bug: 28395952

Change-Id: Ia1a6198c0f45165b9c6a55a803e5f64d8afa0572
---
 libs/binder/Parcel.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 22d7ef3..4a660d1 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1377,7 +1377,13 @@ native_handle* Parcel::readNativeHandle() const
 
     for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
         h->data[i] = dup(readFileDescriptor());
-        if (h->data[i] < 0) err = BAD_VALUE;
+        if (h->data[i] < 0) {
+            for (int j = 0; j < i; j++) {
+                close(h->data[j]);
+            }
+            native_handle_delete(h);
+            return 0;
+        }
     }
     err = read(h->data + numFds, sizeof(int)*numInts);
     if (err != NO_ERROR) {
-- 
cgit v1.1