diff options
| author | JP Sugarbroad <jpsugar@google.com> | 2017-03-22 20:27:13 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2017-03-22 20:27:18 +0000 |
| commit | de607e532e13710ef8b6db42c41111e7d873a4f4 (patch) | |
| tree | fe356cc872a20083c2a64299c5e2ac73c0d39e6a | |
| parent | f3a435f3962cf30a21455c2c70c50689f8be42fc (diff) | |
| parent | a7dc08b601a6ba07a0750b62bef424c80f962507 (diff) | |
| download | base-de607e532e13710ef8b6db42c41111e7d873a4f4.tar.gz | |
Merge "DO NOT MERGE [DO NOT MERGE] Check bounds in offsetToPtr" into security-aosp-mnc-mr1-release
| -rw-r--r-- | include/androidfw/CursorWindow.h | 17 | ||||
| -rw-r--r-- | libs/androidfw/CursorWindow.cpp | 5 |
2 files changed, 19 insertions, 3 deletions
diff --git a/include/androidfw/CursorWindow.h b/include/androidfw/CursorWindow.h index 8a2979a3756d..2eb349f57165 100644 --- a/include/androidfw/CursorWindow.h +++ b/include/androidfw/CursorWindow.h @@ -18,6 +18,7 @@ #define _ANDROID__DATABASE_WINDOW_H #include <cutils/log.h> +#include <inttypes.h> #include <stddef.h> #include <stdint.h> @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; - return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); + return static_cast<char*>(offsetToPtr( + fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; - return offsetToPtr(fieldSlot->data.buffer.offset); + return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; - inline void* offsetToPtr(uint32_t offset) { + inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { + if (offset >= mSize) { + ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); + return NULL; + } + if (offset + bufferSize > mSize) { + ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", + offset + bufferSize, mSize); + return NULL; + } return static_cast<uint8_t*>(mData) + offset; } diff --git a/libs/androidfw/CursorWindow.cpp b/libs/androidfw/CursorWindow.cpp index 166863c0d91a..5694115f61aa 100644 --- a/libs/androidfw/CursorWindow.cpp +++ b/libs/androidfw/CursorWindow.cpp @@ -98,9 +98,14 @@ status_t CursorWindow::createFromParcel(Parcel* parcel, CursorWindow** outCursor if (dupAshmemFd < 0) { result = -errno; } else { + // the size of the ashmem descriptor can be modified between ashmem_get_size_region + // call and mmap, so we'll check again immediately after memory is mapped void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0); if (data == MAP_FAILED) { result = -errno; + } else if (ashmem_get_size_region(dupAshmemFd) != size) { + ::munmap(data, size); + result = BAD_VALUE; } else { CursorWindow* window = new CursorWindow(name, dupAshmemFd, data, size, true /*readOnly*/); |