am d437364e: am f50b9eaa: Binder: Make sure binder objects do not overlap

* commit 'd437364ec156e07c5fbe3fa27a7cd55e5450e9f6':
  Binder: Make sure binder objects do not overlap
This commit is contained in:
Arve Hjønnevåg 2014-02-19 21:47:35 +00:00 committed by Android Git Automerger
commit e45636a867

View File

@ -35,6 +35,7 @@
#include <private/binder/binder_module.h> #include <private/binder/binder_module.h>
#include <inttypes.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdint.h> #include <stdint.h>
@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const
void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie) const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie)
{ {
binder_size_t minOffset = 0;
freeDataNoInit(); freeDataNoInit();
mError = NO_ERROR; mError = NO_ERROR;
mData = const_cast<uint8_t*>(data); mData = const_cast<uint8_t*>(data);
@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize,
mNextObjectHint = 0; mNextObjectHint = 0;
mOwner = relFunc; mOwner = relFunc;
mOwnerCookie = relCookie; mOwnerCookie = relCookie;
for (size_t i = 0; i < mObjectsSize; i++) {
binder_size_t offset = mObjects[i];
if (offset < minOffset) {
ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n",
__func__, (uint64_t)offset, (uint64_t)minOffset);
mObjectsSize = 0;
break;
}
minOffset = offset + sizeof(flat_binder_object);
}
scanForFds(); scanForFds();
} }