The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.
Change-Id: Ife8514be1ba639c4061de38b59794c46bcc2d7f8
The addition of ashmem size tracking can lead to parcel objects
overwriting other values on the stack in old binary blobs.
Change-Id: Ida52cec851a6f9d5a57c8f9130a5875c03dcb094
Using the __attribute__((unused)) preprocessor directive
Change-Id: I29d27fd7eacb962ffa06ccd81ee48b48f3743243
(cherry picked from commit 047c69bb8e17eab6f3432fae200fe94f7e119755)
Makes sure we don't change the memory layout of the Parcel class
to maintain binary compatibility with prebuilts linking against
libbinder.
Bug: 25004154
Change-Id: I656687497f08bb85cefda796aafa2341e601e30a
writeByteArray writes the size using sizeof(size_t), however it is always
read using readInt32(). On devices where sizeof(size_t) != 4 this causes
extra bytes to be written.
BUG: 22204736
Change-Id: I8d4507b6b616857ef5827f1fe9da0907d09abf0e
Make sure that we don't go haywire if an exponential buffer growth
operation winds up wrapping integer range. Along the way, fix a
bookkeeping bug in BufferedTextOutput that would cause it to keep
spuriously realloc()ing on every append().
Bug 20674694
Change-Id: Ia845b7de36b90672a151a918ffc26c7da68e20a2
We now check for fd-legality before committing binder objects to
the flattened data buffer rather than after. Previously we would
wind up corrupting the parcel and incurring driver-level errors,
as well as potentially leaking FDs.
Bug 21428802
Change-Id: Ice0d641b3dcc41fb1b8c68ce2e2ebd744c2863a1
Add functions to allow a client to take over the ashmem region
that was transferred so that it can claim it for its own and
reuse it.
Add support for mutable ashmem regions too.
Bug: 21428802
Change-Id: I16eca338cdb99b07d81fc43573d53ce86dbc60c8
Attempts to replicate Java parceling in native code is fraught with
peril.
Change-Id: I4359036c5dddd1b886d886beef1d060523e53e5f
(cherry picked from commit f47a381001)
When appending one parcel's contents to another, ignore binder
objects within the source Parcel that appear to lie beyond the
formal bounds of that Parcel's data buffer.
Bug 17312693
Change-Id: If592a260f3fcd9a56fc160e7feb2c8b44c73f514
The inputs to native_handle_create can cause an overflowed allocation,
so check the return value of native_handle_create before accessing
the memory it returns.
Bug:19334482
Change-Id: I1f489382776c2a1390793a79dc27ea17baa9b2a2
Will be used by the system_server watchdog to monitor the
availability of binder threads in the process to handle
incoming IPC requests.
Bug: 19297165
Change-Id: I39175f3869ad14da5620fddb47f454e6e4ee2b25
It's a security best practice for size_t values to be rejected if
they are greater than INT32_SIZE. This is intended to prevent the
common error of inadvertently passing a negative int value to a
function, which after conversion to an unsigned type, becomes a huge
number, defeating the purpose of bounds checking.
This patch also addresses a bug where the call to:
Parcel::write(buf, (size_t) -1);
would call writeInPlace() which uses PAD_SIZE on the supplied
argument. This would then cause an integer overflow, with PAD_SIZE
returning a small value, but the memcpy in Parcel::write using the
old large length value.
Bug: 19573085
Change-Id: Ib11bfb3dae4f3be91cd17b2c676926700972c7b8
This makes apps linked against the previous non-static versions
work with the new libbinder.
Bug: 19060033
Bug: 19773812
Change-Id: I3b5c78cbb4f4c0681ca1042e4d8503d98f969502
When compiling 32 bit binaries against a 64 bit binder interface,
implicit promotions of intptr_t types to uint64_t for fields in the
binder ioctl structures can result in invalid pointers because of sign
extension.
Adds readUint32 and writeUint32 methods to the Parcel class. This
saves a lot of static_casting in anything implementing a Binder
interface on the native side.
Change-Id: Iafc73b0633654a3a4c49767f41806b56906c924f
Now that we're in C++11 mode by default, clang complains about switch
statements with case values not matching the type -- since some
binder_driver_return_protocol values are > 0x7fffffff, we need to make
the switch statements operate on uint32_t rather than int32_t.
BUG: 18466763
Change-Id: Iedbfd5c7a3d3d9f087d2eab4ff21343ad7a2a448
Signed-off-by: Bernhard Rosenkränzer <Bernhard.Rosenkranzer@linaro.org>