Snap for 8294919 from 8b95307fc737e193c038b61a305eda173ea2c19a to main-cg-testing-releasemain-cg-testing-release

Change-Id: I2e4a78ba5f2c93cac687d2a9a9485934bb118a3b

1 files changed, 7 insertions, 1 deletions

diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@ bool Parcel::verifyBufferObject(const binder_buffer_object *buffer_obj,
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(