commit bfbbb04c096deccf43ad1c52e80c399a7be985ed
author Steven Moreland <smoreland@google.com> Tue Mar 08 19:32:55 2022 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 08 19:32:55 2022 +0000
tree 50418c247ca2ddb3a7eb6948572efbc7d12136e6
parent e224d9b092ea042fe5c9aa27a72cba32dea2468e
parent defd5b394db4938d1e9cb8be7245efa088c24746

Merge "libhwbinder: kernel check also in userspace" am: 8b95307fc7 am: 0d37d37576 am: defd5b394d

Original change: https://android-review.googlesource.com/c/platform/system/libhwbinder/+/2014695

Change-Id: Ib30ca7c39d20112fdfda5ffa0d1336d3203a3e20

Parcel.cpp

diff --git a/Parcel.cpp b/Parcel.cpp
index 98300d0..a20d98c 100644
--- a/Parcel.cpp
+++ b/Parcel.cpp
@@ -1333,11 +1333,17 @@
             return false;
         }
         if (buffer_obj->parent_offset != parentOffset) {
-              ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
+            ALOGE("Buffer parent offset %" PRIu64 " does not match expected offset %zu.",
                   static_cast<uint64_t>(buffer_obj->parent_offset), parentOffset);
             return false;
         }
 
+        // checked by kernel driver, but needed for fuzzer
+        if (parent >= mObjectsSize) {
+            ALOGE("Parent index %zu but only have %zu objects", parent, mObjectsSize);
+            return false;
+        }
+
         binder_buffer_object *parentBuffer =
             reinterpret_cast<binder_buffer_object*>(mData + mObjects[parent]);
         void* bufferInParent = *reinterpret_cast<void**>(