Fix temporary file name strlcpy size.

The strlcpy size argument overflows on integer sanitized builds.

 runtime error: unsigned integer overflow: 11 - 35 cannot be represented
 in type 'unsigned long'

This doesn't cause a problem because strlcpy stops on the null in
TMP_FILE_PATTERN, and localTmpFileName is defined large enough to
contain TMP_FILE_PATTERN.

This changes the size argument to the remaining length in the buffer,
and removes an extraneous '/' write as TMP_FILE_PATTERN already begins
with '/'.

Bug: 30969751
Test: Reran CTS test which triggered the overflow.

Change-Id: I20b5deeaaa1a863324dfd1d94f3135920eae48d3

diff --git a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
index 17b98da..cc2646c 100644 (file)
--- a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
+++ b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
@@ -236,17 +236,15 @@ copyFileIfChanged(JNIEnv *env, void* arg, ZipFileRO* zipFile, ZipEntryRO zipEntr
         return INSTALL_SUCCEEDED;
     }
 
-    char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 2];
+    char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 1];
     if (strlcpy(localTmpFileName, nativeLibPath.c_str(), sizeof(localTmpFileName))
             != nativeLibPath.size()) {
         ALOGD("Couldn't allocate local file name for library");
         return INSTALL_FAILED_INTERNAL_ERROR;
     }
 
-    *(localTmpFileName + nativeLibPath.size()) = '/';
-
     if (strlcpy(localTmpFileName + nativeLibPath.size(), TMP_FILE_PATTERN,
-                    TMP_FILE_PATTERN_LEN - nativeLibPath.size()) != TMP_FILE_PATTERN_LEN) {
+                    TMP_FILE_PATTERN_LEN + 1) != TMP_FILE_PATTERN_LEN) {
         ALOGI("Couldn't allocate temporary file name for library");
         return INSTALL_FAILED_INTERNAL_ERROR;
     }