diff options
| author | Venkateshwarlu Domakonda <Venkateshwarlu@codeaurora.org> | 2013-09-30 19:39:41 +0530 |
|---|---|---|
| committer | Ayaz Ahmad <aahmad@codeaurora.org> | 2013-10-30 16:15:24 +0530 |
| commit | e9a189d1d9770a740d105e89ce29d7917aa6eb05 (patch) | |
| tree | 635e7bda390b9d68a04d99d69da058fb7b4cbe89 /jni | |
| parent | 0297be2af34e222e036e57faf9776a4b4089db85 (diff) | |
| download | android_hardware_qcom_fm-e9a189d1d9770a740d105e89ce29d7917aa6eb05.tar.gz android_hardware_qcom_fm-e9a189d1d9770a740d105e89ce29d7917aa6eb05.tar.bz2 android_hardware_qcom_fm-e9a189d1d9770a740d105e89ce29d7917aa6eb05.zip | |
jni: Address the security bug
- Check the length of the string before memcpy.
Change-Id: Idf599c903dc546e4481fab8f022d87b65cc85601
CRs-Fixed: 538560
Diffstat (limited to 'jni')
| -rw-r--r-- | jni/android_hardware_fm.cpp | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/jni/android_hardware_fm.cpp b/jni/android_hardware_fm.cpp index 4dcb51a..46ae7c4 100644 --- a/jni/android_hardware_fm.cpp +++ b/jni/android_hardware_fm.cpp @@ -534,10 +534,11 @@ static jint android_hardware_fmradio_FmReceiverJNI_setPINative static jint android_hardware_fmradio_FmReceiverJNI_startRTNative (JNIEnv * env, jobject thiz, jint fd, jstring radio_text, jint count ) { - ALOGD("->android_hardware_fmradio_FmReceiverJNI_startRTNative\n"); + ALOGE("->android_hardware_fmradio_FmReceiverJNI_startRTNative\n"); struct v4l2_ext_control ext_ctl; struct v4l2_ext_controls v4l2_ctls; + size_t len = 0; int err = 0; jboolean isCopy = false; @@ -547,18 +548,21 @@ static jint android_hardware_fmradio_FmReceiverJNI_startRTNative ALOGE("RT string is not valid \n"); return FM_JNI_FAILURE; } - + len = strlen(rt_string); + if (len > TX_RT_LENGTH) { + ALOGE("RT string length more than max size"); + env->ReleaseStringUTFChars(radio_text, rt_string); + return FM_JNI_FAILURE; + } rt_string1 = (char*) malloc(TX_RT_LENGTH + 1); if (rt_string1 == NULL) { ALOGE("out of memory \n"); env->ReleaseStringUTFChars(radio_text, rt_string); return FM_JNI_FAILURE; } - memset (rt_string1, 0, TX_RT_LENGTH + 1); - memcpy(rt_string1, rt_string, count); + memset(rt_string1, 0, TX_RT_LENGTH + 1); + memcpy(rt_string1, rt_string, len); - if(count < TX_RT_LENGTH) - rt_string1[count] = TX_RT_DELIMITER; ext_ctl.id = V4L2_CID_RDS_TX_RADIO_TEXT; ext_ctl.string = rt_string1; |