diff options
| -rw-r--r-- | drivers/android/binder.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 7a8cdecaf348..30d71b928f0d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3534,6 +3534,7 @@ static void binder_transaction(struct binder_proc *proc, */ copy_size = object_offset - user_offset; if (copy_size && (user_offset > object_offset || + object_offset > tr->data_size || binder_alloc_copy_user_to_buffer( &target_proc->alloc, t->buffer, user_offset, |