Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef63947f authored by Keisuke Kuroyanagi's avatar Keisuke Kuroyanagi Committed by Ken Wakasa
Browse files

Add boundary checking for PtNode Array reading. DO NOT MERGE 

cheery-pick of Iea5e19d98d2fc26f137046dd5f8e339239672351

Bug: 10957075
Change-Id: I3f1806c32fe480f2e7422d3a945932b9cc0cd98b
parent 10fa6a2e

native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_node_reader.cpp

+2 −1
Original line number Diff line number Diff line
@@ -26,7 +26,8 @@ namespace latinime { 
void DynamicPatriciaTrieNodeReader::fetchPtNodeInfoFromBufferAndProcessMovedPtNode(

        const int ptNodePos, const int maxCodePointCount, int *const outCodePoints) {

    if (ptNodePos < 0 || ptNodePos >= mBuffer->getTailPosition()) {

        AKLOGE("Fetching PtNode info form invalid dictionary position: %d, dictionary size: %d",

        // Reading invalid position because of bug or broken dictionary.

        AKLOGE("Fetching PtNode info from invalid dictionary position: %d, dictionary size: %d",

                ptNodePos, mBuffer->getTailPosition());

        ASSERT(false);

        invalidatePtNodeInfo();

native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_reading_helper.cpp

+18 −0
Original line number Diff line number Diff line
@@ -155,6 +155,15 @@ bool DynamicPatriciaTrieReadingHelper::traverseAllPtNodesInPtNodeArrayLevelPreor 
// Read node array size and process empty node arrays. Nodes and arrays are counted up in this

// method to avoid an infinite loop.

void DynamicPatriciaTrieReadingHelper::nextPtNodeArray() {

    if (mReadingState.mPos < 0 || mReadingState.mPos >= mBuffer->getTailPosition()) {

        // Reading invalid position because of a bug or a broken dictionary.

        AKLOGE("Reading PtNode array info from invalid dictionary position: %d, dict size: %d",

                mReadingState.mPos, mBuffer->getTailPosition());

        ASSERT(false);

        mIsError = true;

        mReadingState.mPos = NOT_A_DICT_POS;

        return;

    }

    mReadingState.mPosOfLastPtNodeArrayHead = mReadingState.mPos;

    const bool usesAdditionalBuffer = mBuffer->isInAdditionalBuffer(mReadingState.mPos);

    const uint8_t *const dictBuf = mBuffer->getBuffer(usesAdditionalBuffer);
@@ -191,6 +200,15 @@ void DynamicPatriciaTrieReadingHelper::nextPtNodeArray() { 


// Follow the forward link and read the next node array if exists.

void DynamicPatriciaTrieReadingHelper::followForwardLink() {

    if (mReadingState.mPos < 0 || mReadingState.mPos >= mBuffer->getTailPosition()) {

        // Reading invalid position because of bug or broken dictionary.

        AKLOGE("Reading forward link from invalid dictionary position: %d, dict size: %d",

                mReadingState.mPos, mBuffer->getTailPosition());

        ASSERT(false);

        mIsError = true;

        mReadingState.mPos = NOT_A_DICT_POS;

        return;

    }

    const bool usesAdditionalBuffer = mBuffer->isInAdditionalBuffer(mReadingState.mPos);

    const uint8_t *const dictBuf = mBuffer->getBuffer(usesAdditionalBuffer);

    if (usesAdditionalBuffer) {

native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_reading_helper.h

+1 −0
Original line number Diff line number Diff line
@@ -240,6 +240,7 @@ class DynamicPatriciaTrieReadingHelper { 
    static const int MAX_NODE_ARRAY_COUNT_TO_AVOID_INFINITE_LOOP;

    static const size_t MAX_READING_STATE_STACK_SIZE;



    // TODO: Introduce error code to track what caused the error.

    bool mIsError;

    ReadingState mReadingState;

    const BufferWithExtendableBuffer *const mBuffer;