Merge "libhwbinder: kernel check also in userspace" am: 8b95307fc7 am: 0d37d37576 am: defd5b394d am: bfbbb04c09aml_tz4_332714070aml_tz4_332714050aml_tz4_332714010aml_tz4_331910000aml_tz4_331314030aml_tz4_331314020aml_tz4_331314010aml_tz4_331012050aml_tz4_331012040aml_tz4_331012000aml_ase_331311020aml_ase_331112000aml_ase_331011020android13-mainline-tzdata4-releaseandroid13-mainline-appsearch-releaseaml_tz4_332714010

Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/2014695

Change-Id: I53152dd666479c1d17745a5c3e7f98989f229771

1 files changed, 7 insertions, 1 deletions

diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@ bool Parcel::verifyBufferObject(const binder_buffer_object *buffer_obj,
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(