commit 20539ba755c19cde7924f8880a0ab2674fb0dc46
author Keun-young Park <keunyoung@google.com> Mon Oct 10 17:57:34 2016 -0700
committer Keun-young Park <keunyoung@google.com> Mon Oct 10 17:57:34 2016 -0700
tree 3b96b0f9cf810f50c1aae764e42aeb05be083a35
parent ac9a1546f95d683650e8d15f414fadaab40ffe7b

check negative size before reading Blob

bug: 32071846
Change-Id: Ia5be656c144664753b8d52e4068aa559f3cc2b04

libvehiclenetwork/native/IVehicleNetwork.cpp

diff --git a/libvehiclenetwork/native/IVehicleNetwork.cpp b/libvehiclenetwork/native/IVehicleNetwork.cpp
index eb126cd..f8ba297 100644
--- a/libvehiclenetwork/native/IVehicleNetwork.cpp
+++ b/libvehiclenetwork/native/IVehicleNetwork.cpp
@@ -77,6 +77,10 @@
                 return holder;
             }
             int32_t size = reply.readInt32();
+            if (size < 0) {
+                ALOGE("listProperties, bad blob size %d", size);
+                return holder;
+            }
             status = reply.readBlob(size, blob.blob);
             if (status != NO_ERROR) {
                 ALOGE("listProperties, cannot read blob %d", status);
@@ -400,6 +404,10 @@
             ReadableBlobHolder blob(new Parcel::ReadableBlob());
             ASSERT_OR_HANDLE_NO_MEMORY(blob.blob, return NO_MEMORY);
             int32_t size = data.readInt32();
+            if (size < 0) {
+                ALOGE("injectEvent:service, bad blob size %d", size);
+                return BAD_VALUE;
+            }
             r = data.readBlob(size, blob.blob);
             if (r != NO_ERROR) {
                 ALOGE("injectEvent:service, cannot read blob");