diff options
| author | David Christie <dnchrist@google.com> | 2016-08-23 16:19:51 -0700 |
|---|---|---|
| committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-10-04 16:11:55 -0700 |
| commit | 261bf33eb17a8f1a657b749d47b2738aacfc75ea (patch) | |
| tree | e99d04b23885e1b2ff48c2c3d5eb4c8be44608a5 | |
| parent | 4c489eb0bcbe2a9ea5f657cae8d90ea39ab29a37 (diff) | |
| download | android_frameworks_base-stable/cm-13.0-ZNH2KB.tar.gz android_frameworks_base-stable/cm-13.0-ZNH2KB.tar.bz2 android_frameworks_base-stable/cm-13.0-ZNH2KB.zip | |
DO NOT MERGE: Fix vulnerability where large GPS XTRA data can be injected. -Can potentially crash system with OOM. Bug: 29555864stable/cm-13.0-ZNH2KB
CYNGNOS-3286
Change-Id: I7157f48dddf148a9bcab029cf12e26a58d8054f4
(cherry picked from commit 759a9eba8577f812e579c053618b27c3cb8bca20)
(cherry picked from commit c7ea21239a1443e9b304d405dcb9aa48eb4e20d0)
| -rw-r--r-- | services/core/java/com/android/server/location/GpsXtraDownloader.java | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java index 3585049fab2..6310361573f 100644 --- a/services/core/java/com/android/server/location/GpsXtraDownloader.java +++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java @@ -21,8 +21,11 @@ import android.util.Log; import java.net.HttpURLConnection; import java.net.URL; -import libcore.io.Streams; +import libcore.io.IoUtils; + +import java.io.ByteArrayOutputStream; +import java.io.InputStream; import java.io.IOException; import java.util.Properties; import java.util.Random; @@ -36,6 +39,7 @@ public class GpsXtraDownloader { private static final String TAG = "GpsXtraDownloader"; private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000; // 1MB. private static final String DEFAULT_USER_AGENT = "Android"; private final String[] mXtraServers; @@ -121,7 +125,19 @@ public class GpsXtraDownloader { return null; } - return Streams.readFully(connection.getInputStream()); + try (InputStream in = connection.getInputStream()) { + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + byte[] buffer = new byte[1024]; + int count; + while ((count = in.read(buffer)) != -1) { + bytes.write(buffer, 0, count); + if (bytes.size() > MAXIMUM_CONTENT_LENGTH_BYTES) { + if (DEBUG) Log.d(TAG, "XTRA file too large"); + return null; + } + } + return bytes.toByteArray(); + } } catch (IOException ioe) { if (DEBUG) Log.d(TAG, "Error downloading gps XTRA: ", ioe); } finally { @@ -133,3 +149,4 @@ public class GpsXtraDownloader { } } + |