Add bound checks to utf16_to_utf8

Bug: 29250543 Change-Id: I518e7b2fe10aaa3f1c1987586a09b1110aff7e1a (cherry picked from commit 7e93b2ddcb49b5365fbe1dab134ffb38e6f1c719)
author: Sergio Giro <sgiro@google.com> 2016-06-28 18:19:33 +0100
committer: gitbuildkicker <android-build@google.com> 2016-08-01 19:13:30 -0700
commit: 1f4b49e64adf4623eefda503bca61e253597b9bf (patch)
tree: 3aa8699af956416a9169c1f5cae0adc7fabd5faf
parent: eb7980c224a54f860b7af5ecf30cbc633ae41289 (diff)
download: native-1f4b49e64adf4623eefda503bca61e253597b9bf.tar.gz
1 files changed, 6 insertions, 5 deletions
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index c7e8ff2e71..e88ae29518 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -1795,15 +1795,16 @@ status_t Parcel::readUtf8FromUtf16(std::string* str) const {
        return NO_ERROR;
     }
 
-    ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size);
-    if (utf8Size < 0) {
+    // Allow for closing '\0'
+    ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size) + 1;
+    if (utf8Size < 1) {
         return BAD_VALUE;
     }
     // Note that while it is probably safe to assume string::resize keeps a
-    // spare byte around for the trailing null, we're going to be explicit.
-    str->resize(utf8Size + 1);
-    utf16_to_utf8(src, utf16Size, &((*str)[0]));
+    // spare byte around for the trailing null, we still pass the size including the trailing null
     str->resize(utf8Size);
+    utf16_to_utf8(src, utf16Size, &((*str)[0]), utf8Size);
+    str->resize(utf8Size - 1);
     return NO_ERROR;
 }
author	Sergio Giro <sgiro@google.com>	2016-06-28 18:19:33 +0100
committer	gitbuildkicker <android-build@google.com>	2016-08-01 19:13:30 -0700
commit	1f4b49e64adf4623eefda503bca61e253597b9bf (patch)
tree	3aa8699af956416a9169c1f5cae0adc7fabd5faf
parent	eb7980c224a54f860b7af5ecf30cbc633ae41289 (diff)
download	native-1f4b49e64adf4623eefda503bca61e253597b9bf.tar.gz