Snap for 8558685 from bfbbb04c096deccf43ad1c52e80c399a7be985ed to tm-frc-documentsui-release
Change-Id: Ie4ff6a0ac5b54cd957b006371b7ffc53e4c16a26
diff --git a/Binder.cpp b/Binder.cpp
index b90639f..6d26414 100644
--- a/Binder.cpp
+++ b/Binder.cpp
@@ -129,20 +129,12 @@
}
}
- status_t err = NO_ERROR;
- switch (code) {
- default:
- err = onTransact(code, data, reply, flags,
- [&](auto &replyParcel) {
- replyParcel.setDataPosition(0);
- if (callback != nullptr) {
- callback(replyParcel);
- }
- });
- break;
- }
-
- return err;
+ return onTransact(code, data, reply, flags, [&](auto& replyParcel) {
+ replyParcel.setDataPosition(0);
+ if (callback != nullptr) {
+ callback(replyParcel);
+ }
+ });
}
status_t BHwBinder::linkToDeath(
diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@
return false;
}
if (buffer_obj->parent_offset != parentOffset) {
- ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+ ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
return false;
}
+ // checked by kernel driver, but needed for fuzzer
+ if (parent >= mObjectsSize) {
+ ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+ return false;
+ }
+
binder_buffer_object *parentBuffer =
reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
void* bufferInParent = *reinterpret_cast<void**>(
