summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCasey Dahlin <sadmac@google.com>2016-10-26 17:18:25 -0700
committergitbuildkicker <android-build@google.com>2017-01-03 15:08:40 -0800
commit9a8df9a20a808d336cd3334014d08cb3daefccfe (patch)
tree636e7683ce010761d3713048814100fc824ac5fd
parentf14208e0390d8ee20ee4a5d7605d614e8b1abaf1 (diff)
downloadandroid-frameworks-native-9a8df9a20a808d336cd3334014d08cb3daefccfe.tar.gz
android-frameworks-native-9a8df9a20a808d336cd3334014d08cb3daefccfe.tar.xz
Fix integer overflow in unsafeReadTypedVector
Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)
-rw-r--r--include/binder/Parcel.h8
1 files changed, 8 insertions, 0 deletions
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 1c355c4..2490b82 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h
@@ -589,8 +589,16 @@ status_t Parcel::unsafeReadTypedVector(
return UNEXPECTED_NULL;
}
+ if (val->max_size() < size) {
+ return NO_MEMORY;
+ }
+
val->resize(size);
+ if (val->size() < size) {
+ return NO_MEMORY;
+ }
+
for (auto& v: *val) {
status = (this->*read_func)(&v);