Verify last array's length in readFromParcel

Length of the last array in readFromParcel should be the same as
value of mNextIndex.

Test: PoC app in the bug
Bug: 73252178
Change-Id: I69f935949e945c3a036b19b4f88684d906079ea5

diff --git a/core/java/com/android/internal/app/procstats/SparseMappingTable.java b/core/java/com/android/internal/app/procstats/SparseMappingTable.java
index f941836..6d79d3b 100644 (file)
--- a/core/java/com/android/internal/app/procstats/SparseMappingTable.java
+++ b/core/java/com/android/internal/app/procstats/SparseMappingTable.java
@@ -18,6 +18,7 @@ package com.android.internal.app.procstats;
 
 import android.os.Build;
 import android.os.Parcel;
+import android.util.EventLog;
 import android.util.Slog;
 import libcore.util.EmptyArray;
 
@@ -529,6 +530,12 @@ public class SparseMappingTable {
             readCompactedLongArray(in, array, size);
             mLongs.add(array);
         }
+        // Verify that last array's length is consistent with writeToParcel
+        if (N > 0 && mLongs.get(N - 1).length != mNextIndex) {
+            EventLog.writeEvent(0x534e4554, "73252178", -1, "");
+            throw new IllegalStateException("Expected array of length " + mNextIndex + " but was "
+                    + mLongs.get(N - 1).length);
+        }
     }
 
     /**