From: Michael Wachenschwanz <mwachens@google.com>
Date: Thu, 16 May 2019 05:58:15 +0000 (-0700)
Subject: Clear the Parcel before writing an exception during a transaction
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=f8ef5bcf21c87d8617f5e11810cc94350298d114;hp=fe9f143d2c713475ed2e354e893ea26f5c2f7afa;p=android-x86%2Fframeworks-base.git

Clear the Parcel before writing an exception during a transaction

This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.

Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug: 34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
---

diff --git a/core/java/android/os/Binder.java b/core/java/android/os/Binder.java
index ea8ba2f1e6df..b9597ea46fb1 100644
--- a/core/java/android/os/Binder.java
+++ b/core/java/android/os/Binder.java
@@ -574,6 +574,8 @@ public class Binder implements IBinder {
                     Log.w(TAG, "Caught a RuntimeException from the binder stub implementation.", e);
                 }
             } else {
+                // Clear the parcel before writing the exception
+                reply.setDataSize(0);
                 reply.setDataPosition(0);
                 reply.writeException(e);
             }