From 2f6bf894b7c3462f0af6cebfb7b7400f820e4220 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 17 May 2019 13:11:30 -0700
Subject: [PATCH] readCString: no ubsan sub-overflow

Bug: 132650049
Test: fuzzer
Change-Id: I1f6dcad6906951ab505a7500573b74b210a68705
Merged-In: I1f6dcad6906951ab505a7500573b74b210a68705
(cherry picked from commit 1086548c6ceb141e2852d2690db8386911a014dd)
---
 libs/binder/Parcel.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index e369c444ba..2ca4170c7d 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1136,8 +1136,8 @@ intptr_t Parcel::readIntPtr() const
 
 const char* Parcel::readCString() const
 {
-    const size_t avail = mDataSize-mDataPos;
-    if (avail > 0) {
+    if (mDataPos < mDataSize) {
+        const size_t avail = mDataSize-mDataPos;
         const char* str = reinterpret_cast<const char*>(mData+mDataPos);
         // is the string's trailing NUL within the parcel's valid bounds?
         const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));