openharmony/communication_ipc
1
0
Fork 0
mirror of https://gitee.com/openharmony/communication_ipc synced 2024-11-27 01:51:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!766 压测时出现~MessageParcel()函数中出现越界导致crash,同步修改

Browse Source 
Merge pull request !766 from lishengming14/master
This commit is contained in:
openharmony_ci 2023-08-22 03:42:46 +00:00 committed by Gitee
commit 1d3db6105c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
1 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
ipc/native/src/core/source/message_parcel.cpp
View File

@ -238,11 +238,19 @@ int MessageParcel::ReadFileDescriptor()
void MessageParcel::ClearFileDescriptor()
{
binder_size_t *object = reinterpret_cast<binder_size_t *>(GetObjectOffsets());
size_t objectNum = GetOffsetsSize();
uintptr_t data = GetData();
for (size_t i = 0; i < objectNum; i++) {
const flat_binder_object *flat = reinterpret_cast<flat_binder_object *>(data + object[i]);
size_t dataOffset = 0;
binder_size_t *object = nullptr;
const flat_binder_object *flat = nullptr;
for (size_t i = 0; i < GetOffsetsSize(); i++) {
object = reinterpret_cast<binder_size_t *>(GetObjectOffsets());
// offset + size
dataOffset = object[i] + sizeof(flat_binder_object);
if (dataOffset > GetDataSize()) {
ZLOGE(LOG_LABEL, "object offset is overflow, dataOffset:%{public}zu, dataSize:%{public}zu",
dataOffset, GetDataSize());
break;
}
flat = reinterpret_cast<flat_binder_object *>(GetData() + object[i]);
if (flat->hdr.type == BINDER_TYPE_FD && flat->handle > 0) {
::close(flat->handle);
}
@ -251,11 +259,19 @@ void MessageParcel::ClearFileDescriptor()
bool MessageParcel::ContainFileDescriptors() const
{
binder_size_t *object = reinterpret_cast<binder_size_t *>(GetObjectOffsets());
size_t objectNum = GetOffsetsSize();
uintptr_t data = GetData();
for (size_t i = 0; i < objectNum; i++) {
const flat_binder_object *flat = reinterpret_cast<flat_binder_object *>(data + object[i]);
size_t dataOffset = 0;
binder_size_t *object = nullptr;
const flat_binder_object *flat = nullptr;
for (size_t i = 0; i < GetOffsetsSize(); i++) {
object = reinterpret_cast<binder_size_t *>(GetObjectOffsets());
// offset + size
dataOffset = object[i] + sizeof(flat_binder_object);
if (dataOffset > GetDataSize()) {
ZLOGE(LOG_LABEL, "object offset is overflow, dataOffset:%{public}zu, dataSize:%{public}zu",
dataOffset, GetDataSize());
break;
}
flat = reinterpret_cast<flat_binder_object *>(GetData() + object[i]);
if (flat->hdr.type == BINDER_TYPE_FD) {
return true;
}