#define _ANDROID__DATABASE_WINDOW_H
#include <cutils/log.h>
+#include <inttypes.h>
#include <stddef.h>
#include <stdint.h>
inline const char* getFieldSlotValueString(FieldSlot* fieldSlot,
size_t* outSizeIncludingNull) {
*outSizeIncludingNull = fieldSlot->data.buffer.size;
- return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset));
+ return static_cast<char*>(offsetToPtr(
+ fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size));
}
inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) {
*outSize = fieldSlot->data.buffer.size;
- return offsetToPtr(fieldSlot->data.buffer.offset);
+ return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size);
}
private:
bool mReadOnly;
Header* mHeader;
- inline void* offsetToPtr(uint32_t offset) {
+ inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {
+ if (offset >= mSize) {
+ ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize);
+ return NULL;
+ }
+ if (offset + bufferSize > mSize) {
+ ALOGE("End offset %" PRIu32 " out of bounds, max value %zu",
+ offset + bufferSize, mSize);
+ return NULL;
+ }
return static_cast<uint8_t*>(mData) + offset;
}
if (dupAshmemFd < 0) {
result = -errno;
} else {
+ // the size of the ashmem descriptor can be modified between ashmem_get_size_region
+ // call and mmap, so we'll check again immediately after memory is mapped
void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0);
if (data == MAP_FAILED) {
result = -errno;
+ } else if (ashmem_get_size_region(dupAshmemFd) != size) {
+ ::munmap(data, size);
+ result = BAD_VALUE;
} else {
CursorWindow* window = new CursorWindow(name, dupAshmemFd,
data, size, true /*readOnly*/);