Snap for 8512216 from bfbbb04c096deccf43ad1c52e80c399a7be985ed to tm-frc-art-releaset_frc_art_330443060 android13-frc-art-release

Change-Id: I185255d7a9eac83349578e82da0e715bf3f8903f
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2022-04-28 16:07:20 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2022-04-28 16:07:20 +0000
commit: f12359d2327718574e79dad784195e55ceb3b4db (patch)
tree: 50418c247ca2ddb3a7eb6948572efbc7d12136e6
parent: 774111ee1eaba69669091efaf7e24fe5d1d0cb0e (diff)
parent: bfbbb04c096deccf43ad1c52e80c399a7be985ed (diff)
download: libhwbinder-android13-frc-art-release.tar.gz
2 files changed, 13 insertions, 15 deletions
diff --git a/Binder.cpp b/Binder.cpp
index b90639f..6d26414 100644
--- a/Binder.cpp
+++ b/Binder.cpp
@@ -129,20 +129,12 @@ status_t BHwBinder::transact(
         }
     }
 
-    status_t err = NO_ERROR;
-    switch (code) {
-        default:
-            err = onTransact(code, data, reply, flags,
-                    [&](auto &replyParcel) {
-                        replyParcel.setDataPosition(0);
-                        if (callback != nullptr) {
-                            callback(replyParcel);
-                        }
-                    });
-            break;
-    }
-
-    return err;
+    return onTransact(code, data, reply, flags, [&](auto& replyParcel) {
+      replyParcel.setDataPosition(0);
+      if (callback != nullptr) {
+        callback(replyParcel);
+      }
+    });
 }
 
 status_t BHwBinder::linkToDeath(
diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@ bool Parcel::verifyBufferObject(const binder_buffer_object *buffer_obj,
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-04-28 16:07:20 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-04-28 16:07:20 +0000
commit	f12359d2327718574e79dad784195e55ceb3b4db (patch)
tree	50418c247ca2ddb3a7eb6948572efbc7d12136e6
parent	774111ee1eaba69669091efaf7e24fe5d1d0cb0e (diff)
parent	bfbbb04c096deccf43ad1c52e80c399a7be985ed (diff)
download	libhwbinder-android13-frc-art-release.tar.gz