Merge Android 24Q1 Release (ab/11220357)

Bug: 319669529 Merged-In: Ica8454b22574c21f03c2667435a57a1214d4152f Change-Id: I3779c90c6a935b546ecc8a1fba7d46f507e70c86
author: Xin Li <delphij@google.com> 2024-01-17 22:14:58 -0800
committer: Xin Li <delphij@google.com> 2024-01-17 22:14:58 -0800
commit: 79715b16e2230a2d1060fce592c339e9beb0d33f (patch)
tree: bdb3b525833423c4c9fb49f4e31bc43074665e3e
parent: eb568cb568e59bad8c1e31f8f720f116382986f9 (diff)
parent: f2b9c0e7f9902145b51a8ad4cdc59b90ca141bc6 (diff)
download: libhwbinder-79715b16e2230a2d1060fce592c339e9beb0d33f.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/Parcel.cpp b/Parcel.cpp
index 99389d7..177b102 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1453,6 +1453,11 @@ status_t Parcel::readNullableNativeHandleNoDup(const native_handle_t **handle,
         // writable memory, and the handle returned from here will actually be
         // used (rather than be ignored).
         if (embedded) {
+            if(!validateBufferParent(parent_buffer_handle, parent_offset)) {
+                ALOGE("Buffer in parent %zu offset %zu invalid.", parent_buffer_handle, parent_offset);
+                return BAD_VALUE;
+            }
+
             binder_buffer_object *parentBuffer =
                 reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent_buffer_handle]);
author	Xin Li <delphij@google.com>	2024-01-17 22:14:58 -0800
committer	Xin Li <delphij@google.com>	2024-01-17 22:14:58 -0800
commit	79715b16e2230a2d1060fce592c339e9beb0d33f (patch)
tree	bdb3b525833423c4c9fb49f4e31bc43074665e3e
parent	eb568cb568e59bad8c1e31f8f720f116382986f9 (diff)
parent	f2b9c0e7f9902145b51a8ad4cdc59b90ca141bc6 (diff)
download	libhwbinder-79715b16e2230a2d1060fce592c339e9beb0d33f.tar.gz