diff options
Diffstat (limited to 'include/androidfw')
| -rw-r--r-- | include/androidfw/CursorWindow.h | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/include/androidfw/CursorWindow.h b/include/androidfw/CursorWindow.h index 8a2979a3756..2eb349f5716 100644 --- a/include/androidfw/CursorWindow.h +++ b/include/androidfw/CursorWindow.h @@ -18,6 +18,7 @@ #define _ANDROID__DATABASE_WINDOW_H #include <cutils/log.h> +#include <inttypes.h> #include <stddef.h> #include <stdint.h> @@ -128,12 +129,13 @@ public: inline const char* getFieldSlotValueString(FieldSlot* fieldSlot, size_t* outSizeIncludingNull) { *outSizeIncludingNull = fieldSlot->data.buffer.size; - return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset)); + return static_cast<char*>(offsetToPtr( + fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size)); } inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) { *outSize = fieldSlot->data.buffer.size; - return offsetToPtr(fieldSlot->data.buffer.offset); + return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size); } private: @@ -166,7 +168,16 @@ private: bool mReadOnly; Header* mHeader; - inline void* offsetToPtr(uint32_t offset) { + inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) { + if (offset >= mSize) { + ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize); + return NULL; + } + if (offset + bufferSize > mSize) { + ALOGE("End offset %" PRIu32 " out of bounds, max value %zu", + offset + bufferSize, mSize); + return NULL; + } return static_cast<uint8_t*>(mData) + offset; } |