From f50b9eaaeeaeae16981f11b05d3f3a6fb0dea30d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Thu, 13 Feb 2014 19:22:08 -0800 Subject: [PATCH] Binder: Make sure binder objects do not overlap Fixes crashing part of bug 11355082. The driver still leaks references. Change-Id: Ibc6a63b151c1fc1f7666237f25255ba781e02071 --- libs/binder/Parcel.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 38e019cb9..882130f9a 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -35,6 +35,7 @@ #include +#include #include #include #include @@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie) { + binder_size_t minOffset = 0; freeDataNoInit(); mError = NO_ERROR; mData = const_cast(data); @@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, mNextObjectHint = 0; mOwner = relFunc; mOwnerCookie = relCookie; + for (size_t i = 0; i < mObjectsSize; i++) { + binder_size_t offset = mObjects[i]; + if (offset < minOffset) { + ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n", + __func__, (uint64_t)offset, (uint64_t)minOffset); + mObjectsSize = 0; + break; + } + minOffset = offset + sizeof(flat_binder_object); + } scanForFds(); }