The strlcpy size argument overflows on integer sanitized builds.
runtime error: unsigned integer overflow: 11 - 35 cannot be represented
in type 'unsigned long'
This doesn't cause a problem because strlcpy stops on the null in
TMP_FILE_PATTERN, and localTmpFileName is defined large enough to
contain TMP_FILE_PATTERN.
This changes the size argument to the remaining length in the buffer,
and removes an extraneous '/' write as TMP_FILE_PATTERN already begins
with '/'.
Bug:
30969751
Test: Reran CTS test which triggered the overflow.
Change-Id: I20b5deeaaa1a863324dfd1d94f3135920eae48d3
return INSTALL_SUCCEEDED;
}
- char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 2];
+ char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 1];
if (strlcpy(localTmpFileName, nativeLibPath.c_str(), sizeof(localTmpFileName))
!= nativeLibPath.size()) {
ALOGD("Couldn't allocate local file name for library");
return INSTALL_FAILED_INTERNAL_ERROR;
}
- *(localTmpFileName + nativeLibPath.size()) = '/';
-
if (strlcpy(localTmpFileName + nativeLibPath.size(), TMP_FILE_PATTERN,
- TMP_FILE_PATTERN_LEN - nativeLibPath.size()) != TMP_FILE_PATTERN_LEN) {
+ TMP_FILE_PATTERN_LEN + 1) != TMP_FILE_PATTERN_LEN) {
ALOGI("Couldn't allocate temporary file name for library");
return INSTALL_FAILED_INTERNAL_ERROR;
}