[DO NOT MERGE] Throw exception if slot has invalid offset

Previously the process would crash, which is OK, but complicates testing.

Test: cts-tradefed run cts --module CtsContentTestCases
      --test android.content.cts.ContentProviderCursorWindowTest
Bug: 34128677

AOSP-Change-Id: I5b50982d77ec65c442fbb973d14c85a5c29c43c7
(cherry picked from commit eb6de6f5f10148b9f81f9c0074d1e1f7af21bfb0)
(cherry picked from commit 676f703f746391cfdf05bafd2289226f7a6e5255)

CVE-2017-0598

Change-Id: If4df1645887525e00c2762d4c702efbccf2e0b5b

1 files changed, 8 insertions, 0 deletions

diff --git a/core/jni/android_database_CursorWindow.cpp b/core/jni/android_database_CursorWindow.cpp
index 580ac02789c..a86e57dc024 100644
--- a/core/jni/android_database_CursorWindow.cpp
+++ b/core/jni/android_database_CursorWindow.cpp
@@ -182,6 +182,10 @@ static jbyteArray nativeGetBlob(JNIEnv* env, jclass clazz, jlong windowPtr,
     if (type == CursorWindow::FIELD_TYPE_BLOB || type == CursorWindow::FIELD_TYPE_STRING) {
         size_t size;
         const void* value = window->getFieldSlotValueBlob(fieldSlot, &size);
+        if (!value) {
+            throw_sqlite3_exception(env, "Native could not read blob slot");
+            return NULL;
+        }
         jbyteArray byteArray = env->NewByteArray(size);
         if (!byteArray) {
             env->ExceptionClear();
@@ -217,6 +221,10 @@ static jstring nativeGetString(JNIEnv* env, jclass clazz, jlong windowPtr,
     if (type == CursorWindow::FIELD_TYPE_STRING) {
         size_t sizeIncludingNull;
         const char* value = window->getFieldSlotValueString(fieldSlot, &sizeIncludingNull);
+        if (!value) {
+            throw_sqlite3_exception(env, "Native could not read string slot");
+            return NULL;
+        }
         if (sizeIncludingNull <= 1) {
             return gEmptyString;
         }