Skip to content

Commit cf50c02

Browse files
author
git-core
committed
Fix off-by-one bug when calculating the bundle size
Remember position in parcel before adding bundle signature. The old code supposed to work by chance: the resolved type was NULL (so only -1 as int32 was stored in the parcel) and redundant -1 (as int32) was added after the resolved type. Thus, the former was actually a null string in the bundle and the latter acted the part of the (null) resolved type. Don't put garbage at the end of intent (after sticky which is supposed to be the last parameter in an intent). Again, it seemed to work before due to Android stops to parse intent just after it gets all required parameters.
1 parent 815edac commit cf50c02

File tree

1 file changed

+2
-5
lines changed

1 file changed

+2
-5
lines changed

activity.cpp

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -87,8 +87,8 @@ int send_intent(struct su_initiator *from, struct su_request *to, const char *so
8787
}
8888
{ /* Extras */
8989
data.writeInt32(-1); /* dummy, will hold length */
90-
int oldPos = data.dataPosition();
9190
data.writeInt32(0x4C444E42); // 'B' 'N' 'D' 'L'
91+
int oldPos = data.dataPosition();
9292
{ /* writeMapInternal */
9393
data.writeInt32(7); /* writeMapInternal - size */
9494

@@ -128,15 +128,13 @@ int send_intent(struct su_initiator *from, struct su_request *to, const char *so
128128
data.writeInt32(VERSION_CODE);
129129
}
130130
int newPos = data.dataPosition();
131-
data.setDataPosition(oldPos - 4);
131+
data.setDataPosition(oldPos - 8);
132132
data.writeInt32(newPos - oldPos); /* length */
133133
data.setDataPosition(newPos);
134134
}
135135

136136
data.writeString16(NULL, 0); /* resolvedType */
137137

138-
data.writeInt32(-1); /* Not sure what this is for, but it prevents a warning */
139-
140138
data.writeStrongBinder(NULL); /* resultTo */
141139
data.writeInt32(-1); /* resultCode */
142140
data.writeString16(NULL, 0); /* resultData */
@@ -146,7 +144,6 @@ int send_intent(struct su_initiator *from, struct su_request *to, const char *so
146144
data.writeString16(String16("com.noshufou.android.su.RESPOND")); /* perm */
147145
data.writeInt32(0); /* serialized */
148146
data.writeInt32(0); /* sticky */
149-
data.writeInt32(-1);
150147

151148
status_t ret = am->transact(BROADCAST_INTENT_TRANSACTION, data, &reply);
152149
if (ret < START_SUCCESS) return -1;

0 commit comments

Comments
 (0)