Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2e7e15f2 authored by John Huang's avatar John Huang Committed by The Android Open Source Project
Browse files

AI 150264: DO NOT MERGE TO DONUT. 

  Manual merge of https://android-git.corp.google.com/g/Gerrit#change,5804 from donut:
  Ensure that we never trigger ArrayIndexOutOfBoundsException by checking that
  the index is always < the array's length. Also ensures that the object's
  state is consistent. Should resolve a denial-of-service bug when handling
  malformed WAP pushes.
  Also add a try-catch around call to dispatchMessage(), in case there are other lurking bugs.  (This is also already in Donut.)

Automated import of CL 150264
parent 5a3a63f8

telephony/java/com/android/internal/telephony/WspTypeDecoder.java

+18 −10
Original line number Diff line number Diff line
@@ -187,22 +187,30 @@ public class WspTypeDecoder { 
    }



    /**

     * Decode the "Extension-media" type for WSP pdu

    * Decode the "Extension-media" type for WSP PDU.

    *

     * @param startIndex The starting position of the "Extension-media" in this pdu

    * @param startIndex The starting position of the "Extension-media" in this PDU.

    *

     * @return false when error(not a Extension-media) occur

     *         return value can be retrieved by getValueString() method

     *         length of data in pdu can be retrieved by getValue32() method

    * @return false on error, such as if there is no Extension-media at startIndex.

    * Side-effects: updates stringValue (available with getValueString()), which will be

    * null on error. The length of the data in the PDU is available with getValue32(), 0

    * on error.

    */

    public boolean decodeExtensionMedia(int startIndex) {

        int index = startIndex;

        while (wspData[index] != 0) {

        dataLength = 0;

        stringValue = null;

        int length = wspData.length;

        boolean rtrn = index < length;



        while (index < length && wspData[index] != 0) {

            index++;

        }



        dataLength  = index - startIndex + 1;

        stringValue = new String(wspData, startIndex, dataLength - 1);

        return true;



        return rtrn;

    }



    /**

telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java

+5 −1
Original line number Diff line number Diff line
@@ -254,7 +254,11 @@ final class SMSDispatcher extends Handler { 
            }



            sms = (SmsMessage) ar.result;

            try {

                dispatchMessage(sms);

            } catch (RuntimeException ex) {

                Log.e(TAG, "Exception processing incoming SMS. Exception:" + ex);

            }



            break;