1 files changed, 29 insertions, 0 deletions

diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 6877c2e42..32b9c1162 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -84,6 +84,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import android.util.EventLog;
 
 /**
  * This class broadcasts incoming SMS messages to interested apps after storing them in
@@ -802,6 +803,19 @@ public abstract class InboundSmsHandler extends StateMachine {
         int destPort = tracker.getDestPort();
         String address = "";
 
+        // Do not process when the message count is invalid.
+        if (messageCount <= 0) {
+            EventLog.writeEvent(
+                    0x534e4554 /* snetTagId */,
+                    "72298611" /* buganizer id */,
+                    -1 /* uid */,
+                    String.format(
+                            "processMessagePart: invalid messageCount = %d",
+                            messageCount));
+
+            return false;
+        }
+
         if (messageCount == 1) {
             // single-part message
             pdus = new byte[][]{tracker.getPdu()};
@@ -835,6 +849,21 @@ public abstract class InboundSmsHandler extends StateMachine {
                     // subtract offset to convert sequence to 0-based array index
                     int index = cursor.getInt(SEQUENCE_COLUMN) - tracker.getIndexOffset();
 
+                    // The invalid PDUs can be received and stored in the raw table. The range
+                    // check ensures the process not crash even if the seqNumber in the
+                    // UserDataHeader is invalid.
+                    if (index >= pdus.length || index < 0) {
+                        EventLog.writeEvent(
+                                0x534e4554 /* snetTagId */,
+                                "72298611" /* buganizer id */,
+                                -1 /* uid */,
+                                String.format(
+                                        "processMessagePart: invalid seqNumber = %d, messageCount = %d",
+                                        index + tracker.getIndexOffset(),
+                                        messageCount));
+                        continue;
+                    }
+
                     pdus[index] = HexDump.hexStringToByteArray(cursor.getString(PDU_COLUMN));
 
                     // Read the destination port from the first segment (needed for CDMA WAP PDU).