libbinder: check null bytes in readString*Inplace This is entirely defensive, since the only real guarantee we have here from these APIs is that a buffer of a given length is available. However, since we write 0's here, presumably to guard against people assuming these are null-terminated strings, we might as well enforce that they are actually null terminated. Bug: 172655291 Test: binderParcelTest (added in newer CL) Change-Id: Ie879112540155f6a93b97aeaf3d41ed8ba4ae79f Merged-In: Ie879112540155f6a93b97aeaf3d41ed8ba4ae79f (cherry picked from commit 51e02b16c397c44ddf81a0736cf6045cd4c44128)

commit: 58f5cfa56d5282e69a7580dc4bb97603c409f003 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Wed Nov 18 00:32:42 2020 +0000
committer: Steven Moreland <smoreland@google.com> Fri Dec 04 20:09:59 2020 +0000
tree: 4717ace370be83e337c26e372cf798aeeac2b252
parent: 607a9a94cfa3221f5997d21a19d0e9bb76eab798 [diff]
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 9642a87..1f7d27e 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp

@@ -1869,7 +1869,7 @@
     if (size >= 0 && size < INT32_MAX) {
         *outLen = size;
         const char* str = (const char*)readInplace(size+1);
-        if (str != nullptr) {
+        if (str != nullptr && str[size] == '\0') {
             return str;
         }
     }
@@ -1929,7 +1929,7 @@
     if (size >= 0 && size < INT32_MAX) {
         *outLen = size;
         const char16_t* str = (const char16_t*)readInplace((size+1)*sizeof(char16_t));
-        if (str != nullptr) {
+        if (str != nullptr && str[size] == u'\0') {
             return str;
         }
     }
commit	58f5cfa56d5282e69a7580dc4bb97603c409f003	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Wed Nov 18 00:32:42 2020 +0000
committer	Steven Moreland <smoreland@google.com>	Fri Dec 04 20:09:59 2020 +0000
tree	4717ace370be83e337c26e372cf798aeeac2b252
parent	607a9a94cfa3221f5997d21a19d0e9bb76eab798 [diff]