From 80094e39f90801c44cd80ab0f98df505828ea1f3 Mon Sep 17 00:00:00 2001
From: Ryan Mitchell <rtmitchell@google.com>
Date: Mon, 16 Nov 2020 23:08:18 +0000
Subject: Revert^2 "libandroidfw hardening for IncFs"

55ef6167a2c235bd88c7216238b2001b46795b79

Change-Id: I02d4890d181655dfd0a14c188468db512559d27b
Merged-In: I02d4890d181655dfd0a14c188468db512559d27b
---
 libs/androidfw/ZipUtils.cpp | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'libs/androidfw/ZipUtils.cpp')

diff --git a/libs/androidfw/ZipUtils.cpp b/libs/androidfw/ZipUtils.cpp
index 568e3b63d67f..58fc5bbbab5e 100644
--- a/libs/androidfw/ZipUtils.cpp
+++ b/libs/androidfw/ZipUtils.cpp
@@ -40,7 +40,7 @@ class FileReader : public zip_archive::Reader {
     explicit FileReader(FILE* fp) : Reader(), mFp(fp), mCurrentOffset(0) {
     }
 
-    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const {
+    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const override {
         // Data is usually requested sequentially, so this helps avoid pointless
         // fseeks every time we perform a read. There's an impedence mismatch
         // here because the original API was designed around pread and pwrite.
@@ -71,7 +71,7 @@ class FdReader : public zip_archive::Reader {
     explicit FdReader(int fd) : mFd(fd) {
     }
 
-    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const {
+    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const override {
       return android::base::ReadFullyAtOffset(mFd, buf, len, offset);
     }
 
@@ -81,22 +81,27 @@ class FdReader : public zip_archive::Reader {
 
 class BufferReader : public zip_archive::Reader {
   public:
-    BufferReader(const void* input, size_t inputSize) : Reader(),
-        mInput(reinterpret_cast<const uint8_t*>(input)),
+    BufferReader(incfs::map_ptr<void> input, size_t inputSize) : Reader(),
+        mInput(input.convert<uint8_t>()),
         mInputSize(inputSize) {
     }
 
-    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const {
+    bool ReadAtOffset(uint8_t* buf, size_t len, off64_t offset) const override {
         if (mInputSize < len || offset > mInputSize - len) {
             return false;
         }
 
-        memcpy(buf, mInput + offset, len);
+        const incfs::map_ptr<uint8_t> pos = mInput.offset(offset);
+        if (!pos.verify(len)) {
+          return false;
+        }
+
+        memcpy(buf, pos.unsafe_ptr(), len);
         return true;
     }
 
   private:
-    const uint8_t* mInput;
+    const incfs::map_ptr<uint8_t> mInput;
     const size_t mInputSize;
 };
 
@@ -138,7 +143,7 @@ class BufferWriter : public zip_archive::Writer {
     return (zip_archive::Inflate(reader, compressedLen, uncompressedLen, &writer, nullptr) == 0);
 }
 
-/*static*/ bool ZipUtils::inflateToBuffer(const void* in, void* buf,
+/*static*/ bool ZipUtils::inflateToBuffer(incfs::map_ptr<void> in, void* buf,
     long uncompressedLen, long compressedLen)
 {
     BufferReader reader(in, compressedLen);
-- 
cgit v1.2.3-59-g8ed1b