Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7dfd00cc authored by Ray Essick's avatar Ray Essick
Browse files

fix end-of-buffer check 

code properly checked that pointer was still within buffer
and then adjusted the pointer, resulting in possible OOB reference.

Bug: 204445255
Test: ran poc from bug
Change-Id: I731341c6ee46a011a7535b8a2b04ebc03711b1a7
parent 902666b8

media/libmediametrics/include/media/MediaMetricsItem.h

+1 −2
Original line number Diff line number Diff line
@@ -470,11 +470,10 @@ protected: 
    status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {

        const char *ptr = *bufferpptr;

        while (*ptr != 0) {

            if (ptr >= bufferptrmax) {

            if (++ptr >= bufferptrmax) {

                ALOGE("%s: buffer exceeded", __func__);

                return BAD_VALUE;

            }

            ++ptr;

        }

        const size_t size = (ptr - *bufferpptr) + 1;

        *val = *bufferpptr;