commit 20539ba755c19cde7924f8880a0ab2674fb0dc46
author Keun-young Park <keunyoung@google.com> Mon Oct 10 17:57:34 2016 -0700
committer Keun-young Park <keunyoung@google.com> Mon Oct 10 17:57:34 2016 -0700
tree 3b96b0f9cf810f50c1aae764e42aeb05be083a35
parent ac9a1546f95d683650e8d15f414fadaab40ffe7b

check negative size before reading Blob

bug: 32071846
Change-Id: Ia5be656c144664753b8d52e4068aa559f3cc2b04

libvehiclenetwork/native/IVehicleNetworkHalMock.cpp

diff --git a/libvehiclenetwork/native/IVehicleNetworkHalMock.cpp b/libvehiclenetwork/native/IVehicleNetworkHalMock.cpp
index 1085a57..91e00b2 100644
--- a/libvehiclenetwork/native/IVehicleNetworkHalMock.cpp
+++ b/libvehiclenetwork/native/IVehicleNetworkHalMock.cpp
@@ -69,6 +69,10 @@
                 return holder;
             }
             int32_t size = reply.readInt32();
+            if (size < 0) {
+                ALOGE("listProperties, bad blob size %d", size);
+                return holder;
+            }
             status = reply.readBlob(size, blob.blob);
             if (status != NO_ERROR) {
                 ALOGE("listProperties, cannot read blob %d", status);
@@ -202,6 +206,10 @@
             ReadableBlobHolder blob(new Parcel::ReadableBlob());
             ASSERT_OR_HANDLE_NO_MEMORY(blob.blob, return NO_MEMORY);
             int32_t size = data.readInt32();
+            if (size < 0) {
+                ALOGE("setProperty:service, bad blob size %d", size);
+                return BAD_VALUE;
+            }
             r = data.readBlob(size, blob.blob);
             if (r != NO_ERROR) {
                 ALOGE("setProperty:service, cannot read blob");