diff options
| author | John Huang <nobody@android.com> | 2009-07-01 10:08:20 -0700 |
|---|---|---|
| committer | Jean-Baptiste Queru <jbq@google.com> | 2009-07-27 12:42:29 -0700 |
| commit | 46e23fe762d2143d60589ab6d39c4b47c2c754d1 (patch) | |
| tree | d848ebee5153b61fd7a90a0bfbece79bad033498 | |
| parent | 99cf7b4f58f7127421765b47b38fc4f5b00ab906 (diff) | |
| download | base-46e23fe762d2143d60589ab6d39c4b47c2c754d1.tar.gz | |
AI 150264: DO NOT MERGE TO DONUT.android-1.5r4android-1.5r3cupcake-release
Manual merge of https://android-git.corp.google.com/g/Gerrit#change,5804 from donut:
Ensure that we never trigger ArrayIndexOutOfBoundsException by checking that
the index is always < the array's length. Also ensures that the object's
state is consistent. Should resolve a denial-of-service bug when handling
malformed WAP pushes.
Also add a try-catch around call to dispatchMessage(), in case there are other lurking bugs. (This is also already in Donut.)
Automated import of CL 150264
| -rw-r--r-- | telephony/java/com/android/internal/telephony/WspTypeDecoder.java | 28 | ||||
| -rw-r--r-- | telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java | 6 |
2 files changed, 23 insertions, 11 deletions
diff --git a/telephony/java/com/android/internal/telephony/WspTypeDecoder.java b/telephony/java/com/android/internal/telephony/WspTypeDecoder.java index 2984fa8a576c..3bbe0e17a86e 100644 --- a/telephony/java/com/android/internal/telephony/WspTypeDecoder.java +++ b/telephony/java/com/android/internal/telephony/WspTypeDecoder.java @@ -187,22 +187,30 @@ public class WspTypeDecoder { } /** - * Decode the "Extension-media" type for WSP pdu - * - * @param startIndex The starting position of the "Extension-media" in this pdu - * - * @return false when error(not a Extension-media) occur - * return value can be retrieved by getValueString() method - * length of data in pdu can be retrieved by getValue32() method - */ + * Decode the "Extension-media" type for WSP PDU. + * + * @param startIndex The starting position of the "Extension-media" in this PDU. + * + * @return false on error, such as if there is no Extension-media at startIndex. + * Side-effects: updates stringValue (available with getValueString()), which will be + * null on error. The length of the data in the PDU is available with getValue32(), 0 + * on error. + */ public boolean decodeExtensionMedia(int startIndex) { int index = startIndex; - while (wspData[index] != 0) { + dataLength = 0; + stringValue = null; + int length = wspData.length; + boolean rtrn = index < length; + + while (index < length && wspData[index] != 0) { index++; } + dataLength = index - startIndex + 1; stringValue = new String(wspData, startIndex, dataLength - 1); - return true; + + return rtrn; } /** diff --git a/telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java b/telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java index 558552409b25..f4450298ca88 100644 --- a/telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java +++ b/telephony/java/com/android/internal/telephony/gsm/SMSDispatcher.java @@ -254,7 +254,11 @@ final class SMSDispatcher extends Handler { } sms = (SmsMessage) ar.result; - dispatchMessage(sms); + try { + dispatchMessage(sms); + } catch (RuntimeException ex) { + Log.e(TAG, "Exception processing incoming SMS. Exception:" + ex); + } break; |