commit | 569c3023f839bca077cd3cccef0a3bef9c31af63 | [log] [tgz] |
---|---|---|
author | Hani Kazmi <hanikazmi@google.com> | Tue Sep 27 10:19:45 2022 +0000 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Sat Oct 08 00:10:19 2022 +0000 |
tree | b3ce1611ed2d9b0ef06ff239da4dbdab415837d8 | |
parent | 1e41d33566f84f624f6a755e4493432d5bd82915 [diff] |
Update Parcel readLazyValue to ignore negative object lengths Addresses a security vulnerability where a (-8) length object would cause dataPosition to be reset back to the statt of the value, and be re-read again. Bug: 240138294 Test: atest ParcelTest BundleTest AmbiguousBundlesTest Test: manually ran PoC Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 (cherry picked from commit 8e01230dd264d652c6f4c82d850da5afc4768bdc) Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4