From 119329bdfbebf3826859000472afbcdb50ad96d8 Mon Sep 17 00:00:00 2001 From: Michael Wachenschwanz Date: Wed, 15 May 2019 22:58:15 -0700 Subject: [PATCH] Clear the Parcel before writing an exception during a transaction This prevents any object data from being accidentally overwritten by the exception, which could cause unexpected malformed objects to be sent across the transaction. Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject Fixes: 34175893 Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013 --- core/java/android/os/Binder.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/java/android/os/Binder.java b/core/java/android/os/Binder.java index f4a83910e652..cd0e5ea76551 100644 --- a/core/java/android/os/Binder.java +++ b/core/java/android/os/Binder.java @@ -413,6 +413,8 @@ private boolean execTransact(int code, int dataObj, int replyObj, if ((flags & FLAG_ONEWAY) != 0) { Log.w(TAG, "Caught a RuntimeException from the binder stub implementation.", e); } + // Clear the parcel before writing the exception + reply.setDataSize(0); reply.setDataPosition(0); reply.writeException(e); res = true;