Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f250e4f3 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Fix off-by-one bounds checking bug. 

It's reasonable for a zero-length field to have its start offset
placed exactly at on the edge of the underlying buffer; we'll catch
any buffer overflows moments later when we verify the end offset
calculated from bufferSize.

Bug: 169547603
Test: atest libandroidfw_tests
Test: atest CtsDatabaseTestCases
Test: atest FrameworksCoreTests:android.database
Change-Id: I3d955f222343bd7ae63eaba7e367126dc136ecdf
parent b0424a35

libs/androidfw/include/androidfw/CursorWindow.h

+1 −1
Original line number Diff line number Diff line
@@ -170,7 +170,7 @@ private: 
    Header* mHeader;



    inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {

        if (offset >= mSize) {

        if (offset > mSize) {

            ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize);

            return NULL;

        }