more buffer validation

Bug: 294464949 Test: hidl_test Test: libHidlBase_parcel_fuzzer with test case Change-Id: I1f27c6d1d8a3fb189d510443c17f44aaff0488f2
author: Steven Moreland <smoreland@google.com> 2023-08-11 23:35:46 +0000
committer: Steven Moreland <smoreland@google.com> 2023-08-14 16:20:52 +0000
commit: bd68d24889bc81d827cc65d5c226bfdb5fece1f0 (patch)
tree: 95de27b6ec662aae5b5aa7bf6563396c21ac24bf
parent: a12c1e2daec82c51b6ba27ec423c8111a67bcd64 (diff)
download: libhwbinder-bd68d24889bc81d827cc65d5c226bfdb5fece1f0.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/Parcel.cpp b/Parcel.cpp
index a20d98c..77e2161 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1453,6 +1453,11 @@ status_t Parcel::readNullableNativeHandleNoDup(const native_handle_t **handle,
         // writable memory, and the handle returned from here will actually be
         // used (rather than be ignored).
         if (embedded) {
+            if(!validateBufferParent(parent_buffer_handle, parent_offset)) {
+                ALOGE("Buffer in parent %zu offset %zu invalid.", parent_buffer_handle, parent_offset);
+                return BAD_VALUE;
+            }
+
             binder_buffer_object *parentBuffer =
                 reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent_buffer_handle]);
author	Steven Moreland <smoreland@google.com>	2023-08-11 23:35:46 +0000
committer	Steven Moreland <smoreland@google.com>	2023-08-14 16:20:52 +0000
commit	bd68d24889bc81d827cc65d5c226bfdb5fece1f0 (patch)
tree	95de27b6ec662aae5b5aa7bf6563396c21ac24bf
parent	a12c1e2daec82c51b6ba27ec423c8111a67bcd64 (diff)
download	libhwbinder-bd68d24889bc81d827cc65d5c226bfdb5fece1f0.tar.gz