am 65dea14c: Merge change 27129 into eclair

Merge commit '65dea14cafb357411c6f9307c6d9add60822aa33' into eclair-plus-aosp

* commit '65dea14cafb357411c6f9307c6d9add60822aa33':
  Bounds check read and write path in native code.

core/jni/android_bluetooth_BluetoothSocket.cpp

@@ -402,7 +402,6 @@ static jint availableNative(JNIEnv *env, jobject obj) {
     return -1;
 }
 
-/** jb must not be null. offset and offset+length must be within array */
 static jint readNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
         jint length) {
 #ifdef HAVE_BLUETOOTH
@@ -410,10 +409,20 @@ static jint readNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
 
     int ret;
     jbyte *b;
+    int sz;
     struct asocket *s = get_socketData(env, obj);
 
     if (!s)
         return -1;
+    if (jb == NULL) {
+        jniThrowIOException(env, EINVAL);
+        return -1;
+    }
+    sz = env->GetArrayLength(jb);
+    if (offset < 0 || length < 0 || offset + length > sz) {
+        jniThrowIOException(env, EINVAL);
+        return -1;
+    }
 
     b = env->GetByteArrayElements(jb, NULL);
     if (b == NULL) {
@@ -436,7 +445,6 @@ static jint readNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
     return -1;
 }
 
-/** jb must not be null. offset and offset+length must be within array */
 static jint writeNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
         jint length) {
 #ifdef HAVE_BLUETOOTH
@@ -444,10 +452,20 @@ static jint writeNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
 
     int ret;
     jbyte *b;
+    int sz;
     struct asocket *s = get_socketData(env, obj);
 
     if (!s)
         return -1;
+    if (jb == NULL) {
+        jniThrowIOException(env, EINVAL);
+        return -1;
+    }
+    sz = env->GetArrayLength(jb);
+    if (offset < 0 || length < 0 || offset + length > sz) {
+        jniThrowIOException(env, EINVAL);
+        return -1;
+    }
 
     b = env->GetByteArrayElements(jb, NULL);
     if (b == NULL) {