diff options
| author | 2020-09-28 12:09:44 -0600 | |
|---|---|---|
| committer | 2020-09-28 12:09:46 -0600 | |
| commit | f250e4f3daca160a7759fbb0e549b26d2a551cf8 (patch) | |
| tree | 39dc7aa1bdd83653469a9e56def3470a0422619a | |
| parent | b0424a353bc21259eb529faabab8d933e04ffb5d (diff) | |
Fix off-by-one bounds checking bug.
It's reasonable for a zero-length field to have its start offset
placed exactly at on the edge of the underlying buffer; we'll catch
any buffer overflows moments later when we verify the end offset
calculated from bufferSize.
Bug: 169547603
Test: atest libandroidfw_tests
Test: atest CtsDatabaseTestCases
Test: atest FrameworksCoreTests:android.database
Change-Id: I3d955f222343bd7ae63eaba7e367126dc136ecdf
| -rw-r--r-- | libs/androidfw/include/androidfw/CursorWindow.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libs/androidfw/include/androidfw/CursorWindow.h b/libs/androidfw/include/androidfw/CursorWindow.h index 73c76f0bcb5b..0bee60929cc9 100644 --- a/libs/androidfw/include/androidfw/CursorWindow.h +++ b/libs/androidfw/include/androidfw/CursorWindow.h @@ -170,7 +170,7 @@ private: Header* mHeader; inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { - if (offset >= mSize) { + if (offset > mSize) { ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); return NULL; } |