diff options
author | Fyodor Kupolov <fkupolov@google.com> | 2017-02-22 14:12:50 -0800 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-05-21 14:44:46 -0600 |
commit | 1ab4755f260f714e473933f887cde8cf043a8313 (patch) | |
tree | 5e4fdfdb8f1ea87695f0e6cf6510fd116735af62 | |
parent | a7f586deb1ea914e6797ccc8c20120442c0d9050 (diff) | |
download | frameworks_base-1ab4755f260f714e473933f887cde8cf043a8313.tar.gz frameworks_base-1ab4755f260f714e473933f887cde8cf043a8313.tar.bz2 frameworks_base-1ab4755f260f714e473933f887cde8cf043a8313.zip |
[DO NOT MERGE] Throw exception if slot has invalid offset
Previously the process would crash, which is OK, but complicates testing.
Test: cts-tradefed run cts --module CtsContentTestCases
--test android.content.cts.ContentProviderCursorWindowTest
Bug: 34128677
AOSP-Change-Id: I5b50982d77ec65c442fbb973d14c85a5c29c43c7
(cherry picked from commit eb6de6f5f10148b9f81f9c0074d1e1f7af21bfb0)
(cherry picked from commit 676f703f746391cfdf05bafd2289226f7a6e5255)
CVE-2017-0598
Change-Id: If4df1645887525e00c2762d4c702efbccf2e0b5b
-rw-r--r-- | core/jni/android_database_CursorWindow.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/core/jni/android_database_CursorWindow.cpp b/core/jni/android_database_CursorWindow.cpp index 580ac02789c..a86e57dc024 100644 --- a/core/jni/android_database_CursorWindow.cpp +++ b/core/jni/android_database_CursorWindow.cpp @@ -182,6 +182,10 @@ static jbyteArray nativeGetBlob(JNIEnv* env, jclass clazz, jlong windowPtr, if (type == CursorWindow::FIELD_TYPE_BLOB || type == CursorWindow::FIELD_TYPE_STRING) { size_t size; const void* value = window->getFieldSlotValueBlob(fieldSlot, &size); + if (!value) { + throw_sqlite3_exception(env, "Native could not read blob slot"); + return NULL; + } jbyteArray byteArray = env->NewByteArray(size); if (!byteArray) { env->ExceptionClear(); @@ -217,6 +221,10 @@ static jstring nativeGetString(JNIEnv* env, jclass clazz, jlong windowPtr, if (type == CursorWindow::FIELD_TYPE_STRING) { size_t sizeIncludingNull; const char* value = window->getFieldSlotValueString(fieldSlot, &sizeIncludingNull); + if (!value) { + throw_sqlite3_exception(env, "Native could not read string slot"); + return NULL; + } if (sizeIncludingNull <= 1) { return gEmptyString; } |