DO NOT MERGE: Fix vulnerability where large GPS XTRA data can beandroid-cts-7.0_r3android-7.0.0_r9android-7.0.0_r8android-7.0.0_r7android-7.0.0_r11android-7.0.0_r10

injected.
-Can potentially crash system with OOM.
Bug: 29555864

Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 79375723f0f201a6759ddbfda57d491ff3fea64e)

1 files changed, 21 insertions, 1 deletions

diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
index c464371bf16a..874857ac3883 100644
--- a/services/core/java/com/android/server/location/GpsXtraDownloader.java
+++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java
@@ -22,6 +22,12 @@ import android.util.Log;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
+
+import libcore.io.IoUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.IOException;
 import java.util.Properties;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
@@ -37,6 +43,7 @@ public class GpsXtraDownloader {
 
     private static final String TAG = "GpsXtraDownloader";
     private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+    private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000;  // 1MB.
     private static final String DEFAULT_USER_AGENT = "Android";
     private static final int CONNECTION_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(30);
 
@@ -124,7 +131,19 @@ public class GpsXtraDownloader {
                 return null;
             }
 
-            return Streams.readFully(connection.getInputStream());
+            try (InputStream in = connection.getInputStream()) {
+                ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+                byte[] buffer = new byte[1024];
+                int count;
+                while ((count = in.read(buffer)) != -1) {
+                    bytes.write(buffer, 0, count);
+                    if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) {
+                        if (DEBUG) Log.d(TAG, "XTRA file too large");
+                        return null;
+                    }
+                }
+                return bytes.toByteArray();
+            }
         } catch (IOException ioe) {
             if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe);
         } finally {
@@ -136,3 +155,4 @@ public class GpsXtraDownloader {
     }
 
 }
+