From 5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d Mon Sep 17 00:00:00 2001
From: Kenny Root <kroot@google.com>
Date: Mon, 17 Mar 2014 13:18:16 -0700
Subject: [PATCH] Check the padded size of the read byte array

Bug: 13509200
Change-Id: Id93894fcc617ec1cd4ce66921c6e1f1c3cf40b09
---
 libs/binder/Parcel.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 17ffa05d9..db9e0a1e2 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -908,7 +908,8 @@ void Parcel::remove(size_t start, size_t amt)
 
 status_t Parcel::read(void* outData, size_t len) const
 {
-    if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) {
+    if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize
+            && len <= PAD_SIZE(len)) {
         memcpy(outData, mData+mDataPos, len);
         mDataPos += PAD_SIZE(len);
         ALOGV("read Setting data pos of %p to %d\n", this, mDataPos);
@@ -919,7 +920,8 @@ status_t Parcel::read(void* outData, size_t len) const
 
 const void* Parcel::readInplace(size_t len) const
 {
-    if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) {
+    if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize
+            && len <= PAD_SIZE(len)) {
         const void* data = mData+mDataPos;
         mDataPos += PAD_SIZE(len);
         ALOGV("readInplace Setting data pos of %p to %d\n", this, mDataPos);