Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "[DO NOT MERGE] Check bounds in offsetToPtr" into mnc-dev

Browse Source 
am: 07beec953b

Change-Id: Ia5853c9741163b5e38a432ca645e4082bfa0a7bb
This commit is contained in:
Fyodor Kupolov
2017-03-09 19:43:55 +00:00
committed by android-build-merger
parent 84e1238ed6 07beec953b
commit 4707bd455e
2 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
include/androidfw/CursorWindow.h
View File

@@ -18,6 +18,7 @@
#define _ANDROID__DATABASE_WINDOW_H #define _ANDROID__DATABASE_WINDOW_H
#include <cutils/log.h> #include <cutils/log.h>
#include <inttypes.h>
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
@@ -128,12 +129,13 @@ public:
inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, inline const char* getFieldSlotValueString(FieldSlot* fieldSlot,
size_t* outSizeIncludingNull) { size_t* outSizeIncludingNull) {
*outSizeIncludingNull = fieldSlot->data.buffer.size; *outSizeIncludingNull = fieldSlot->data.buffer.size;
return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); return static_cast<char*>(offsetToPtr(
fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size));
} }
inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) {
*outSize = fieldSlot->data.buffer.size; *outSize = fieldSlot->data.buffer.size;
return offsetToPtr(fieldSlot->data.buffer.offset); return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size);
} }
private: private:
@@ -166,7 +168,16 @@ private:
bool mReadOnly; bool mReadOnly;
Header* mHeader; Header* mHeader;
inline void* offsetToPtr(uint32_t offset) { inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {
if (offset >= mSize) {
ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize);
return NULL;
}
if (offset + bufferSize > mSize) {
ALOGE("End offset %" PRIu32 " out of bounds, max value %zu",
offset + bufferSize, mSize);
return NULL;
}
return static_cast<uint8_t*>(mData) + offset; return static_cast<uint8_t*>(mData) + offset;
} }

5
libs/androidfw/CursorWindow.cpp
View File

@@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor
if (dupAshmemFd < 0) { if (dupAshmemFd < 0) {
result = -errno; result = -errno;
} else { } else {
// the size of the ashmem descriptor can be modified between ashmem_get_size_region
// call and mmap, so we'll check again immediately after memory is mapped
void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0); void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0);
if (data == MAP_FAILED) { if (data == MAP_FAILED) {
result = -errno; result = -errno;
} else if (ashmem_get_size_region(dupAshmemFd) != size) {
::munmap(data, size);
result = BAD_VALUE;
} else { } else {
CursorWindow* window = new CursorWindow(name, dupAshmemFd, CursorWindow* window = new CursorWindow(name, dupAshmemFd,
data, size, true /*readOnly*/); data, size, true /*readOnly*/);