Clear the Parcel before writing an exception during a transaction
This prevents any object data from being accidentally overwritten by the
exception, which could cause unexpected malformed objects to be sent
across the transaction.
Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
Bug: 34175893
Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
Merged-In: Iaf80a0ad711762992b8ae60f76d861c97a403013
(cherry picked from commit f8ef5bcf21c87d8617f5e11810cc94350298d114)
diff --git a/core/java/android/os/Binder.java b/core/java/android/os/Binder.java
index ff0bc69..b9e2119 100644
--- a/core/java/android/os/Binder.java
+++ b/core/java/android/os/Binder.java
@@ -683,6 +683,8 @@
Log.w(TAG, "Caught a RuntimeException from the binder stub implementation.", e);
}
} else {
+ // Clear the parcel before writing the exception
+ reply.setDataSize(0);
reply.setDataPosition(0);
reply.writeException(e);
}