Merge Android 14 QPR2 to AOSP main

Bug: 319669529 Merged-In: I25cd5e365ea72d190c846c72cfe49dcb2944d06b Change-Id: Ifa5e7fa1cc923656eb315d734df1a8af6a517d97
author: Xin Li <delphij@google.com> 2024-03-06 09:30:16 -0800
committer: Xin Li <delphij@google.com> 2024-03-06 18:58:28 -0800
commit: 3b10c7af393e9b4a7010aa46e7e715e4b1197e1d (patch)
tree: bfb8d3d09eb179fc3dc92e109d46104adc7f3a5e
parent: 71df1c94611ac626561681a8688a731658e238d4 (diff)
parent: 457b0837f311711de6a2a6e32a7c71c5ab5910b3 (diff)
download: libhwbinder-3b10c7af393e9b4a7010aa46e7e715e4b1197e1d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/Parcel.cpp b/Parcel.cpp
index 99389d7..177b102 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1453,6 +1453,11 @@ status_t Parcel::readNullableNativeHandleNoDup(const native_handle_t **handle,
         // writable memory, and the handle returned from here will actually be
         // used (rather than be ignored).
         if (embedded) {
+            if(!validateBufferParent(parent_buffer_handle, parent_offset)) {
+                ALOGE("Buffer in parent %zu offset %zu invalid.", parent_buffer_handle, parent_offset);
+                return BAD_VALUE;
+            }
+
             binder_buffer_object *parentBuffer =
                 reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent_buffer_handle]);
author	Xin Li <delphij@google.com>	2024-03-06 09:30:16 -0800
committer	Xin Li <delphij@google.com>	2024-03-06 18:58:28 -0800
commit	3b10c7af393e9b4a7010aa46e7e715e4b1197e1d (patch)
tree	bfb8d3d09eb179fc3dc92e109d46104adc7f3a5e
parent	71df1c94611ac626561681a8688a731658e238d4 (diff)
parent	457b0837f311711de6a2a6e32a7c71c5ab5910b3 (diff)
download	libhwbinder-3b10c7af393e9b4a7010aa46e7e715e4b1197e1d.tar.gz