Google Git
Sign in
android/platform/frameworks/base/59c15187e7ee299592c22a166528fb27b3a03867^!/.
commit
59c15187e7ee299592c22a166528fb27b3a03867
[log]
author
Devin Moore <devinmoore@google.com>
Wed Mar 12 21:42:44 2025 +0000
committer
Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Thu Feb 19 08:58:04 2026 -0800
tree
f4a10a13855ab9ed304d1eff279bf50781594947
parent
5df604ef6b30a20487617d74efb350b5ae2a128d [diff]
NotificationHistory validate position value

We get a position value in a parcel and verify it is smaller than that
parcel's data size before setting it.

Flag: EXEMPT bug fix
Ignore-AOSP-First: security fix
Test: atest NotificationHistoryTest
Bug: 399155883
(cherry picked from commit fd4045126ff01cec3d65c053a0c2c01dc231a0f5)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:27e0f2b515ca65729a84999e792cf7e8240025a9
Merged-In: Ica98d82d7d7c1c9c0defcff8d96bf5f36e8f5d36
Change-Id: Ica98d82d7d7c1c9c0defcff8d96bf5f36e8f5d36

diff --git a/core/java/android/app/NotificationHistory.java b/core/java/android/app/NotificationHistory.java
index eadb7e3..ac68df0 100644
--- a/core/java/android/app/NotificationHistory.java
+++ b/core/java/android/app/NotificationHistory.java

@@ -256,6 +256,10 @@
             mParcel.setDataPosition(0);
             mParcel.appendFrom(data, data.dataPosition(), listByteLength);
             mParcel.setDataSize(mParcel.dataPosition());
+            if (positionInParcel > mParcel.dataSize()) {
+                throw new IllegalStateException(
+                    "Obtained an invalid position value(" + positionInParcel + " from Parcel.");
+            }
             mParcel.setDataPosition(positionInParcel);
         }
     }