Google Git
Sign in
android / platform / frameworks / base / b2bbdaa42f5be34970aae63b37bd0a4272a035db^! / . / libs / androidfw / CursorWindow.cpp
commitb2bbdaa42f5be34970aae63b37bd0a4272a035db[log] [tgz]
authorJeff Sharkey <[email protected]>Tue Oct 20 13:19:04 2020 -0600
committerJeff Sharkey <[email protected]>Tue Oct 20 13:19:06 2020 -0600
tree6c035426742a28b28bb26247e555adf3b74ec73a
parentc0e3a096904519657bdf808a725e61848132a7f1 [diff] [blame]
Fixed CursorWindow signed math for x86 builds.

All tests for our recent CursorWindow changes have been passing for
ARM 64-bit builds, but they weren't executed against 32-bit x86
builds until after merged.

It's not actually safe to use the "off_t" type, so we need to cast
to "int32_t" when doing checks against possible-negative values,
such as in allocRow().

We also add tests that verify negative rows/columns are identified
as invalid positions, which requires that we check the resulting
pointer against both mSlotsEnd and mSlotsStart.

Bug: 169251528, 171276404, 171275409
Test: atest libandroidfw_tests:CursorWindowTest
Test: atest CtsDatabaseTestCases
Change-Id: Iea5f7546850f691e183fbb6e6d0952cd02b00d0f

diff --git a/libs/androidfw/CursorWindow.cpp b/libs/androidfw/CursorWindow.cpp
index 915c0d7..1b8db46 100644
--- a/libs/androidfw/CursorWindow.cpp
+++ b/libs/androidfw/CursorWindow.cpp

@@ -291,11 +291,11 @@
         return INVALID_OPERATION;
     }
     size_t size = mNumColumns * kSlotSizeBytes;
-    off_t newOffset = mSlotsOffset - size;
-    if (newOffset < mAllocOffset) {
+    int32_t newOffset = mSlotsOffset - size;
+    if (newOffset < (int32_t) mAllocOffset) {
         maybeInflate();
         newOffset = mSlotsOffset - size;
-        if (newOffset < mAllocOffset) {
+        if (newOffset < (int32_t) mAllocOffset) {
             return NO_MEMORY;
         }
     }
@@ -311,7 +311,7 @@
         return INVALID_OPERATION;
     }
     size_t size = mNumColumns * kSlotSizeBytes;
-    off_t newOffset = mSlotsOffset + size;
+    size_t newOffset = mSlotsOffset + size;
     if (newOffset > mSize) {
         return NO_MEMORY;
     }
@@ -326,7 +326,7 @@
         return INVALID_OPERATION;
     }
     size_t alignedSize = (size + 3) & ~3;
-    off_t newOffset = mAllocOffset + alignedSize;
+    size_t newOffset = mAllocOffset + alignedSize;
     if (newOffset > mSlotsOffset) {
         maybeInflate();
         newOffset = mAllocOffset + alignedSize;
@@ -345,7 +345,7 @@
     // see CursorWindow_bench.cpp for more details
     void *result = static_cast<uint8_t*>(mSlotsStart)
             - (((row * mNumColumns) + column) << kSlotShift);
-    if (result < mSlotsEnd || column >= mNumColumns) {
+    if (result < mSlotsEnd || result > mSlotsStart || column >= mNumColumns) {
         LOG(ERROR) << "Failed to read row " << row << ", column " << column
                 << " from a window with " << mNumRows << " rows, " << mNumColumns << " columns";
         return nullptr;