From 057a01d1f38e9b46d3faa4059fdd7c8717681ea0 Mon Sep 17 00:00:00 2001
From: Michael Wachenschwanz <mwachens@google.com>
Date: Fri, 24 Aug 2018 21:50:35 -0700
Subject: [PATCH] Verify number of Map entries written to Parcel

Make sure the number of entries written by Parcel#writeMapInternal
matches the size written. If a mismatch were allowed, an exploitable
scenario could occur where the data read from the Parcel would not
match the data written.

Fixes: 112859604
Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest

Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
---
 core/java/android/os/Parcel.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
index 74dcc0787b3bd..deca473ce621c 100644
--- a/core/java/android/os/Parcel.java
+++ b/core/java/android/os/Parcel.java
@@ -691,11 +691,19 @@ public final class Parcel {
             return;
         }
         Set<Map.Entry<String,Object>> entries = val.entrySet();
-        writeInt(entries.size());
+        int size = entries.size();
+        writeInt(size);
+
         for (Map.Entry<String,Object> e : entries) {
             writeValue(e.getKey());
             writeValue(e.getValue());
+            size--;
         }
+
+        if (size != 0) {
+            throw new BadParcelableException("Map size does not match number of entries!");
+        }
+
     }
 
     /**