Binder: Make sure binder objects do not overlap

author Arve Hjønnevåg <arve@android.com>

Fri, 14 Feb 2014 03:22:08 +0000 (19:22 -0800)

committer Chih-Wei Huang <cwhuang@linux.org.tw>

Tue, 29 Apr 2014 04:04:08 +0000 (12:04 +0800)
author Arve Hjønnevåg <arve@android.com>
Fri, 14 Feb 2014 03:22:08 +0000 (19:22 -0800)
committer Chih-Wei Huang <cwhuang@linux.org.tw>
Tue, 29 Apr 2014 04:04:08 +0000 (12:04 +0800)
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp

index 38e019c..4c53b30 100644 (file)
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -35,6 +35,7 @@
  
  #include <private/binder/binder_module.h>
  
+#include <inttypes.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <stdint.h>
@@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const
  void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
      const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
  {
+    size_t minOffset = 0;
      freeDataNoInit();
      mError = NO_ERROR;
      mData = const_cast<uint8_t*>(data);
@@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
      mNextObjectHint = 0;
      mOwner = relFunc;
      mOwnerCookie = relCookie;
+    for (size_t i = 0; i < mObjectsSize; i++) {
+        size_t offset = mObjects[i];
+        if (offset < minOffset) {
+            ALOGE("%s: bad object offset %d < %d\n",
+                    __func__, offset, minOffset);
+            mObjectsSize = 0;
+            break;
+        }
+        minOffset = offset + sizeof(flat_binder_object);
+    }
      scanForFds();
  }
author	Arve Hjønnevåg <arve@android.com>
	Fri, 14 Feb 2014 03:22:08 +0000 (19:22 -0800)
committer	Chih-Wei Huang <cwhuang@linux.org.tw>
	Tue, 29 Apr 2014 04:04:08 +0000 (12:04 +0800)