Loading include/androidfw/CursorWindow.h +14 −3 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ #define _ANDROID__DATABASE_WINDOW_H #include <cutils/log.h> #include <inttypes.h> #include <stddef.h> #include <stdint.h> Loading Loading @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); return static_cast<char*>(offsetToPtr( fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; return offsetToPtr(fieldSlot->data.buffer.offset); return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: Loading Loading @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; inline void* offsetToPtr(uint32_t offset) { inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { if (offset >= mSize) { ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); return NULL; } if (offset + bufferSize > mSize) { ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", offset + bufferSize, mSize); return NULL; } return static_cast<uint8_t*>(mData) + offset; } Loading libs/androidfw/CursorWindow.cpp +5 −0 Original line number Diff line number Diff line Loading @@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor if (dupAshmemFd < 0) { result = -errno; } else { // the size of the ashmem descriptor can be modified between ashmem_get_size_region // call and mmap, so we'll check again immediately after memory is mapped void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0); if (data == MAP_FAILED) { result = -errno; } else if (ashmem_get_size_region(dupAshmemFd) != size) { ::munmap(data, size); result = BAD_VALUE; } else { CursorWindow* window = new CursorWindow(name, dupAshmemFd, data, size, true /*readOnly*/); Loading Loading
include/androidfw/CursorWindow.h +14 −3 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ #define _ANDROID__DATABASE_WINDOW_H #include <cutils/log.h> #include <inttypes.h> #include <stddef.h> #include <stdint.h> Loading Loading @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); return static_cast<char*>(offsetToPtr( fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; return offsetToPtr(fieldSlot->data.buffer.offset); return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: Loading Loading @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; inline void* offsetToPtr(uint32_t offset) { inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { if (offset >= mSize) { ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); return NULL; } if (offset + bufferSize > mSize) { ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", offset + bufferSize, mSize); return NULL; } return static_cast<uint8_t*>(mData) + offset; } Loading
libs/androidfw/CursorWindow.cpp +5 −0 Original line number Diff line number Diff line Loading @@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor if (dupAshmemFd < 0) { result = -errno; } else { // the size of the ashmem descriptor can be modified between ashmem_get_size_region // call and mmap, so we'll check again immediately after memory is mapped void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0); if (data == MAP_FAILED) { result = -errno; } else if (ashmem_get_size_region(dupAshmemFd) != size) { ::munmap(data, size); result = BAD_VALUE; } else { CursorWindow* window = new CursorWindow(name, dupAshmemFd, data, size, true /*readOnly*/); Loading
