frameworks/base
| 修訂 | 6eea4a72804e1f7b20ea9cdf280ab83155c761f8 (tree) |
|---|---|
| 時間 | 2018-09-29 07:01:22 |
| 作者 | Michael Wachenschwanz <mwachens@goog...> |
| Commiter | Rohit Yengisetty |
Verify number of Map entries written to Parcel
Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.
Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
(cherry picked from commit 057a01d1f38e9b46d3faa4059fdd7c8717681ea0)
core/java/android/os/Parcel.java (diff)| @@ -692,11 +692,19 @@ public final class Parcel { | ||
| 692 | 692 | return; |
| 693 | 693 | } |
| 694 | 694 | Set<Map.Entry<String,Object>> entries = val.entrySet(); |
| 695 | - writeInt(entries.size()); | |
| 695 | + int size = entries.size(); | |
| 696 | + writeInt(size); | |
| 697 | + | |
| 696 | 698 | for (Map.Entry<String,Object> e : entries) { |
| 697 | 699 | writeValue(e.getKey()); |
| 698 | 700 | writeValue(e.getValue()); |
| 701 | + size--; | |
| 699 | 702 | } |
| 703 | + | |
| 704 | + if (size != 0) { | |
| 705 | + throw new BadParcelableException("Map size does not match number of entries!"); | |
| 706 | + } | |
| 707 | + | |
| 700 | 708 | } |
| 701 | 709 | |
| 702 | 710 | /** |
Fork