OSDN Git Service

(root) / android-x86 / frameworks-base.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ee1a0f0)
Verify number of Map entries written to Parcel
authorMichael Wachenschwanz <mwachens@google.com>
Sat, 25 Aug 2018 04:50:35 +0000 (21:50 -0700)
committerRohit Yengisetty <rngy@google.com>
Fri, 28 Sep 2018 22:01:22 +0000 (15:01 -0700)
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.

Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest

Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit 057a01d1f38e9b46d3faa4059fdd7c8717681ea0)

core/java/android/os/Parcel.java patch | blob | history

diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
index f6e6ad6..0591fa8 100644 (file)
--- a/core/java/android/os/Parcel.java
+++ b/core/java/android/os/Parcel.java
@@ -692,11 +692,19 @@ public final class Parcel {
             return;
         }
         Set<Map.Entry<String,Object>> entries = val.entrySet();
-        writeInt(entries.size());
+        int size = entries.size();
+        writeInt(size);
+
         for (Map.Entry<String,Object> e : entries) {
             writeValue(e.getKey());
             writeValue(e.getValue());
+            size--;
         }
+
+        if (size != 0) {
+            throw new BadParcelableException("Map size does not match number of entries!");
+        }
+
     }
 
     /**
frameworks/base
About OSDN
Find Software
Develop Software
Help