Google Android - Insufficient Binder Message Verification Pointer Leak
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860 When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a...