Snap for 8283691 from bfbbb04c096deccf43ad1c52e80c399a7be985ed to tm-d1-release
Change-Id: I2bbfac12499256084218b2e23c1357f3d2b7437c
diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@
return false;
}
if (buffer_obj->parent_offset != parentOffset) {
- ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+ ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
return false;
}
+ // checked by kernel driver, but needed for fuzzer
+ if (parent >= mObjectsSize) {
+ ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+ return false;
+ }
+
binder_buffer_object *parentBuffer =
reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
void* bufferInParent = *reinterpret_cast<void**>(