diff options
| author | 2017-02-13 18:35:12 -0800 | |
|---|---|---|
| committer | 2017-02-16 09:50:00 -0800 | |
| commit | 45e2e95c2ffeb2d978e2cce80b729ef6ada3b8d2 (patch) | |
| tree | 992c98155bec887d70df51eb7b90a35a1fe564a9 /libs/androidfw/include | |
| parent | 3d52f79be4dba94f046709fabc1bfb911a670709 (diff) | |
Check bounds in offsetToPtr
Check whether specified offset belongs to mData.
Also added a default argument bufferSize to check the end offset.
Size of the ashmem descriptor can be modified between
ashmem_get_size_region call and mmap. createFromParcel method was updated
to check ashmem size again immediately after memory is mapped.
Test: manual - using the test app from the bug
Bug: 34128677
Change-Id: I3ecd1616a870ce20941ce9b20a1843d2b4295750
Diffstat (limited to 'libs/androidfw/include')
| -rw-r--r-- | libs/androidfw/include/androidfw/CursorWindow.h | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/libs/androidfw/include/androidfw/CursorWindow.h b/libs/androidfw/include/androidfw/CursorWindow.h index f54356576551..ad64b246b3f5 100644 --- a/libs/androidfw/include/androidfw/CursorWindow.h +++ b/libs/androidfw/include/androidfw/CursorWindow.h @@ -17,6 +17,7 @@ #ifndef _ANDROID__DATABASE_WINDOW_H #define _ANDROID__DATABASE_WINDOW_H +#include <inttypes.h> #include <stddef.h> #include <stdint.h> @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; - return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); + return static_cast<char*>(offsetToPtr( + fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; - return offsetToPtr(fieldSlot->data.buffer.offset); + return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; - inline void* offsetToPtr(uint32_t offset) { + inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { + if (offset >= mSize) { + ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); + return NULL; + } + if (offset + bufferSize > mSize) { + ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", + offset + bufferSize, mSize); + return NULL; + } return static_cast<uint8_t*>(mData) + offset; } |