Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05c199a1 authored by Fyodor Kupolov's avatar Fyodor Kupolov Committed by android-build-merger
Browse files

Merge "[DO NOT MERGE] Check bounds in offsetToPtr" into nyc-dev

am: 6c8098c8

Change-Id: I05f15f4152bf02a91384a88d648f4a9121b7f1d6
parents d098c42e 6c8098c8
Loading
Loading
Loading
Loading
+14 −3
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@
#define _ANDROID__DATABASE_WINDOW_H

#include <cutils/log.h>
#include <inttypes.h>
#include <stddef.h>
#include <stdint.h>

@@ -128,12 +129,13 @@ public:
    inline const char* getFieldSlotValueString(FieldSlot* fieldSlot,
            size_t* outSizeIncludingNull) {
        *outSizeIncludingNull = fieldSlot->data.buffer.size;
        return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset));
        return static_cast<char*>(offsetToPtr(
                fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size));
    }

    inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) {
        *outSize = fieldSlot->data.buffer.size;
        return offsetToPtr(fieldSlot->data.buffer.offset);
        return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size);
    }

private:
@@ -166,7 +168,16 @@ private:
    bool mReadOnly;
    Header* mHeader;

    inline void* offsetToPtr(uint32_t offset) {
    inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {
        if (offset >= mSize) {
            ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize);
            return NULL;
        }
        if (offset + bufferSize > mSize) {
            ALOGE("End offset %" PRIu32 " out of bounds, max value %zu",
                    offset + bufferSize, mSize);
            return NULL;
        }
        return static_cast<uint8_t*>(mData) + offset;
    }

+5 −0
Original line number Diff line number Diff line
@@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor
            if (dupAshmemFd < 0) {
                result = -errno;
            } else {
                // the size of the ashmem descriptor can be modified between ashmem_get_size_region
                // call and mmap, so we'll check again immediately after memory is mapped
                void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0);
                if (data == MAP_FAILED) {
                    result = -errno;
                } else if (ashmem_get_size_region(dupAshmemFd) != size) {
                    ::munmap(data, size);
                    result = BAD_VALUE;
                } else {
                    CursorWindow* window = new CursorWindow(name, dupAshmemFd,
                            data, size, true /*readOnly*/);