Merge "libhwbinder: kernel check also in userspace" am: 8b95307fc7 am: 0d37d37576 Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/2014695 Change-Id: Ibeca94600d7eb57ece044c9931f9e7a184fbf3f2

commit: defd5b394db4938d1e9cb8be7245efa088c24746 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Mar 08 19:02:39 2022 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 08 19:02:39 2022 +0000
tree: 50418c247ca2ddb3a7eb6948572efbc7d12136e6
parent: 983714d6fe5835f7fe87ff12601001d6f2b15b35 [diff]
parent: 0d37d37576ef44f995007e7abc2fbae64782a289 [diff]
diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp

@@ -1333,11 +1333,17 @@
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(
commit	defd5b394db4938d1e9cb8be7245efa088c24746	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Mar 08 19:02:39 2022 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Mar 08 19:02:39 2022 +0000
tree	50418c247ca2ddb3a7eb6948572efbc7d12136e6
parent	983714d6fe5835f7fe87ff12601001d6f2b15b35 [diff]
parent	0d37d37576ef44f995007e7abc2fbae64782a289 [diff]