diff options
| author | Christopher Tate <ctate@google.com> | 2015-05-27 17:53:02 -0700 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-18 20:57:10 +0200 |
| commit | 3aa2524725d696fcf3cef520a9f8f5c42e57a668 (patch) | |
| tree | 37ba57366609c70e7363d2f07c4bd00e9d5df2ae | |
| parent | 05067332213173e408a98c070602fa2046e102ec (diff) | |
| download | frameworks_native-3aa2524725d696fcf3cef520a9f8f5c42e57a668.zip frameworks_native-3aa2524725d696fcf3cef520a9f8f5c42e57a668.tar.gz frameworks_native-3aa2524725d696fcf3cef520a9f8f5c42e57a668.tar.bz2 | |
Disregard alleged binder entities beyond parcel bounds
When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.
Bug 17312693
Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
(cherry picked from commit 27182be9f20f4f5b48316666429f09b9ecc1f22e)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
| -rw-r--r-- | libs/binder/Parcel.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 6a2ef00..dc848cb 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -382,7 +382,7 @@ status_t Parcel::appendFrom(const Parcel *parcel, size_t offset, size_t len) // Count objects in range for (int i = 0; i < (int) size; i++) { size_t off = objects[i]; - if ((off >= offset) && (off < offset + len)) { + if ((off >= offset) && (off + sizeof(flat_binder_object) <= offset + len)) { if (firstIndex == -1) { firstIndex = i; } |