libbinder: Parcel: grow rejects large data pos

Steven Moreland · Steven Moreland · commit 608524d46227 · 2024-10-02T01:01:29.000Z
This is unexpected behavior so throw an error.
Allocating this much memory may cause OOM or
other issues.

Bug: 370831157
Test: fuzzer
Change-Id: Iea0884ca61b08e52e6a6e9c66693e427cb5536f4
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
@@ -2948,6 +2948,14 @@ status_t Parcel::growData(size_t len)
         return BAD_VALUE;
     }
 
+    if (mDataPos > mDataSize) {
+        // b/370831157 - this case used to abort. We also don't expect mDataPos < mDataSize, but
+        // this would only waste a bit of memory, so it's okay.
+        ALOGE("growData only expected at the end of a Parcel. pos: %zu, size: %zu, capacity: %zu",
+              mDataPos, len, mDataCapacity);
+        return BAD_VALUE;
+    }
+
     if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
     if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
     size_t newSize = ((mDataSize+len)*3)/2;
