From 29ef92601267b5e7db9198f2a1c557c83a5e826a Mon Sep 17 00:00:00 2001 From: fanzhe Date: Mon, 8 Sep 2025 16:25:38 +0800 Subject: [PATCH] =?UTF-8?q?=E5=87=BD=E6=95=B0UnFlattenDBinderObject?= =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=88=A4=E7=A9=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: fanzhe Change-Id: I1d0c24243da07472773d7fb3357427002727cc89 --- ipc/native/src/core/invoker/source/binder_invoker.cpp | 5 +++++ .../binderinvokernew007_fuzzer.cpp | 1 + 2 files changed, 6 insertions(+) diff --git a/ipc/native/src/core/invoker/source/binder_invoker.cpp b/ipc/native/src/core/invoker/source/binder_invoker.cpp index d0fded34..b2dbc1d1 100644 --- a/ipc/native/src/core/invoker/source/binder_invoker.cpp +++ b/ipc/native/src/core/invoker/source/binder_invoker.cpp @@ -442,6 +442,11 @@ bool BinderInvoker::UnFlattenDBinderObject(Parcel &parcel, dbinder_negotiation_d parcel.RewindRead(offset); return false; } + if (obj->buffer == 0) { + ZLOGE(LABEL, "null dbinder buffer"); + parcel.RewindRead(offset); + return false; + } dbinderData = *reinterpret_cast(obj->buffer); return true; } diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp index b34ce513..42e15bb7 100644 --- a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp @@ -49,6 +49,7 @@ void UnFlattenDBinderObjectFuzzTest001(FuzzedDataProvider &provider) obj.flags = provider.ConsumeIntegral(); obj.length = provider.ConsumeIntegral(); obj.parent = provider.ConsumeIntegral(); + obj.buffer = 0; obj.parent_offset = provider.ConsumeIntegral(); dataParcel.WriteBuffer(&obj, sizeof(binder_buffer_object)); dbinder_negotiation_data dbinderData; -- Gitee