libbinder: Parcel: grow rejects large data pos

smore-lore · aoleary · commit 58ef98e05e55 · 2025-01-13T14:09:29.000Z
This is unexpected behavior so throw an error. Allocating this much memory may cause OOM or other issues. Bug: 370831157 Test: fuzzer (cherry picked from commit 608524d462278c2c9f6716cd94f126c85e9f2e91) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e4f04ab7dff943d91240e02ebb2287278d1c40c1) Merged-In: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4 Change-Id: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
@@ -2375,6 +2375,14 @@ status_t Parcel::growData(size_t len)
         return BAD_VALUE;
     }
 
+    if (mDataPos > mDataSize) {
+        // b/370831157 - this case used to abort. We also don't expect mDataPos < mDataSize, but
+        // this would only waste a bit of memory, so it's okay.
+        ALOGE("growData only expected at the end of a Parcel. pos: %zu, size: %zu, capacity: %zu",
+              mDataPos, len, mDataCapacity);
+        return BAD_VALUE;
+    }
+
     if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
     if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
     size_t newSize = ((mDataSize+len)*3)/2;
