ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

am 3fe9adc9: Merge "Fix write past end of memory." into lmp-dev

Browse source 
* commit '3fe9adc932948da8993d3f812bce1875efc47c0e':
  Fix write past end of memory.
This commit is contained in:
Christopher Ferris 2014-10-08 05:12:00 +00:00 committed by Android Git Automerger
commit 6f7fd39536
1 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
libutils/BlobCache.cpp
View file

@ -31,7 +31,7 @@ namespace android {
static const uint32_t blobCacheMagic = ('_' << 24) + ('B' << 16) + ('b' << 8) + '$'; static const uint32_t blobCacheMagic = ('_' << 24) + ('B' << 16) + ('b' << 8) + '$';
// BlobCache::Header::mBlobCacheVersion value // BlobCache::Header::mBlobCacheVersion value
static const uint32_t blobCacheVersion = 1; static const uint32_t blobCacheVersion = 2;
// BlobCache::Header::mDeviceVersion value // BlobCache::Header::mDeviceVersion value
static const uint32_t blobCacheDeviceVersion = 1; static const uint32_t blobCacheDeviceVersion = 1;
@ -165,14 +165,13 @@ static inline size_t align4(size_t size) {
} }
size_t BlobCache::getFlattenedSize() const { size_t BlobCache::getFlattenedSize() const {
size_t size = sizeof(Header); size_t size = align4(sizeof(Header));
for (size_t i = 0; i < mCacheEntries.size(); i++) { for (size_t i = 0; i < mCacheEntries.size(); i++) {
const CacheEntry& e(mCacheEntries[i]); const CacheEntry& e(mCacheEntries[i]);
sp<Blob> keyBlob = e.getKey(); sp<Blob> keyBlob = e.getKey();
sp<Blob> valueBlob = e.getValue(); sp<Blob> valueBlob = e.getValue();
size = align4(size); size += align4(sizeof(EntryHeader) + keyBlob->getSize() +
size += sizeof(EntryHeader) + keyBlob->getSize() + valueBlob->getSize());
valueBlob->getSize();
} }
return size; return size;
} }
@ -200,7 +199,8 @@ status_t BlobCache::flatten(void* buffer, size_t size) const {
size_t valueSize = valueBlob->getSize(); size_t valueSize = valueBlob->getSize();
size_t entrySize = sizeof(EntryHeader) + keySize + valueSize; size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
if (byteOffset + entrySize > size) { size_t totalSize = align4(entrySize);
if (byteOffset + totalSize > size) {
ALOGE("flatten: not enough room for cache entries"); ALOGE("flatten: not enough room for cache entries");
return BAD_VALUE; return BAD_VALUE;
} }
@ -213,7 +213,6 @@ status_t BlobCache::flatten(void* buffer, size_t size) const {
memcpy(eheader->mData, keyBlob->getData(), keySize); memcpy(eheader->mData, keyBlob->getData(), keySize);
memcpy(eheader->mData + keySize, valueBlob->getData(), valueSize); memcpy(eheader->mData + keySize, valueBlob->getData(), valueSize);
size_t totalSize = align4(entrySize);
if (totalSize > entrySize) { if (totalSize > entrySize) {
// We have padding bytes. Those will get written to storage, and contribute to the CRC, // We have padding bytes. Those will get written to storage, and contribute to the CRC,
// so make sure we zero-them to have reproducible results. // so make sure we zero-them to have reproducible results.
@ -263,7 +262,8 @@ status_t BlobCache::unflatten(void const* buffer, size_t size) {
size_t valueSize = eheader->mValueSize; size_t valueSize = eheader->mValueSize;
size_t entrySize = sizeof(EntryHeader) + keySize + valueSize; size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
if (byteOffset + entrySize > size) { size_t totalSize = align4(entrySize);
if (byteOffset + totalSize > size) {
mCacheEntries.clear(); mCacheEntries.clear();
ALOGE("unflatten: not enough room for cache entry headers"); ALOGE("unflatten: not enough room for cache entry headers");
return BAD_VALUE; return BAD_VALUE;
@ -272,7 +272,7 @@ status_t BlobCache::unflatten(void const* buffer, size_t size) {
const uint8_t* data = eheader->mData; const uint8_t* data = eheader->mData;
set(data, keySize, data + keySize, valueSize); set(data, keySize, data + keySize, valueSize);
byteOffset += align4(entrySize); byteOffset += totalSize;
} }
return OK; return OK;