commit 8277174bbb1bd7ede556f72c2402a8c785d71352
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Fri Apr 12 21:40:57 2024 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Fri Apr 12 21:40:57 2024 +0000
tree f6b9ced3143f88c0c465fa7b6b4c852816f93d36
parent 1ec2ac8bc64811ab9c443e727bb02511dfecdb67
parent 637b6220b344f331b78c08436f2d141d668be95a

Merge cherrypicks of ['googleplex-android-review.googlesource.com/26749190'] into 24Q2-release.

Change-Id: Ibe0aec880c03a3efebecfd96993f53220fb1f338

lib/libstatssocket/stats_event.c

diff --git a/lib/libstatssocket/stats_event.c b/lib/libstatssocket/stats_event.c
index ade1b93..1c8aaf2 100644
--- a/lib/libstatssocket/stats_event.c
+++ b/lib/libstatssocket/stats_event.c
@@ -325,6 +325,9 @@
 
 // Side-effect: modifies event->errors if field has too many annotations
 static void increment_annotation_count(AStatsEvent* event) {
+    if (event->lastFieldPos >= event->bufSize) {
+        return;
+    }
     uint8_t fieldType = event->buf[event->lastFieldPos] & 0x0F;
     uint32_t oldAnnotationCount = (event->buf[event->lastFieldPos] & 0xF0) >> 4;
     uint32_t newAnnotationCount = oldAnnotationCount + 1;

lib/libstatssocket/tests/stats_event_test.cpp

diff --git a/lib/libstatssocket/tests/stats_event_test.cpp b/lib/libstatssocket/tests/stats_event_test.cpp
index 93a99f1..dea81c2 100644
--- a/lib/libstatssocket/tests/stats_event_test.cpp
+++ b/lib/libstatssocket/tests/stats_event_test.cpp
@@ -536,6 +536,50 @@
     AStatsEvent_release(event);
 }
 
+TEST(StatsEventTest, TestHeapBufferOverflowError) {
+    const std::string testString(4039, 'A');
+    const std::string testString2(47135, 'B');
+
+    AStatsEvent* event = AStatsEvent_obtain();
+    AStatsEvent_setAtomId(event, 100);
+
+    AStatsEvent_writeString(event, testString.c_str());
+    size_t bufferSize = 0;
+    AStatsEvent_getBuffer(event, &bufferSize);
+    EXPECT_EQ(bufferSize, 4060);
+    uint32_t errors = AStatsEvent_getErrors(event);
+    EXPECT_EQ(errors, 0);
+
+    // expand the buffer and fill with data up to the very last byte
+    AStatsEvent_writeString(event, testString2.c_str());
+    bufferSize = 0;
+    AStatsEvent_getBuffer(event, &bufferSize);
+    EXPECT_EQ(bufferSize, 50 * 1024);
+
+    errors = AStatsEvent_getErrors(event);
+    EXPECT_EQ(errors, 0);
+
+    // this write is no-op due to buffer reached its max capacity
+    // should set the overflow flag
+    AStatsEvent_writeString(event, testString2.c_str());
+    bufferSize = 0;
+    AStatsEvent_getBuffer(event, &bufferSize);
+    EXPECT_EQ(bufferSize, 50 * 1024);
+
+    errors = AStatsEvent_getErrors(event);
+    EXPECT_EQ(errors & ERROR_OVERFLOW, ERROR_OVERFLOW);
+
+    // here should be crash
+    AStatsEvent_addBoolAnnotation(event, 1, false);
+
+    AStatsEvent_write(event);
+
+    errors = AStatsEvent_getErrors(event);
+    EXPECT_EQ(errors & ERROR_OVERFLOW, ERROR_OVERFLOW);
+
+    AStatsEvent_release(event);
+}
+
 TEST(StatsEventTest, TestPullOverflowError) {
     const uint32_t atomId = 10100;
     const vector<uint8_t> bytes(430 /* number of elements */, 1 /* value of each element */);