Fix integer overflow in unsafeReadTypedVector Passing a size to std::vector that is too big causes it to silently under-allocate when exceptions are disabled, leaving us open to an OOB write. We check the bounds and the resulting size now to verify allocation succeeds. Test: Verified reproducer attached to bug no longer crashes Camera service. Bug: 31677614 Change-Id: I064b1442838032d93658f8bf63b7aa6d021c99b7 (cherry picked from commit 65a8f07e57a492289798ca709a311650b5bd5af1)

commit: e5753ba087fa59ee02f6026cc13b1ceb42a1f266 [log] [tgz]
author: Casey Dahlin <sadmac@google.com> Wed Oct 26 17:18:25 2016 -0700
committer: gitbuildkicker <android-build@google.com> Thu Dec 01 14:47:04 2016 -0800
tree: 636e7683ce010761d3713048814100fc824ac5fd
parent: f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 [diff]
diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h
index 1c355c4..2490b82 100644
--- a/include/binder/Parcel.h
+++ b/include/binder/Parcel.h

@@ -589,8 +589,16 @@
         return UNEXPECTED_NULL;
     }
 
+    if (val->max_size() < size) {
+        return NO_MEMORY;
+    }
+
     val->resize(size);
 
+    if (val->size() < size) {
+        return NO_MEMORY;
+    }
+
     for (auto& v: *val) {
         status = (this->*read_func)(&v);
commit	e5753ba087fa59ee02f6026cc13b1ceb42a1f266	[log] [tgz]
author	Casey Dahlin <sadmac@google.com>	Wed Oct 26 17:18:25 2016 -0700
committer	gitbuildkicker <android-build@google.com>	Thu Dec 01 14:47:04 2016 -0800
tree	636e7683ce010761d3713048814100fc824ac5fd
parent	f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 [diff]