DivestOS/Patches/LineageOS-11.0/android_frameworks_native/253524.patch

30 lines
1.1 KiB
Diff
Raw Normal View History

From 2f6bf894b7c3462f0af6cebfb7b7400f820e4220 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 17 May 2019 13:11:30 -0700
Subject: [PATCH] readCString: no ubsan sub-overflow
Bug: 132650049
Test: fuzzer
Change-Id: I1f6dcad6906951ab505a7500573b74b210a68705
Merged-In: I1f6dcad6906951ab505a7500573b74b210a68705
(cherry picked from commit 1086548c6ceb141e2852d2690db8386911a014dd)
---
libs/binder/Parcel.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index e369c444ba..2ca4170c7d 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1136,8 +1136,8 @@ intptr_t Parcel::readIntPtr() const
const char* Parcel::readCString() const
{
- const size_t avail = mDataSize-mDataPos;
- if (avail > 0) {
+ if (mDataPos < mDataSize) {
+ const size_t avail = mDataSize-mDataPos;
const char* str = reinterpret_cast<const char*>(mData+mDataPos);
// is the string's trailing NUL within the parcel's valid bounds?
const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));