From 7f71764ce62fbb71f0ffc89ce9271115935fe240 Mon Sep 17 00:00:00 2001
From: Ivan Lozano <ivanlozano@google.com>
Date: Thu, 14 Dec 2017 19:03:56 -0800
Subject: [PATCH] Fix temporary file name strlcpy size.

The strlcpy size argument overflows on integer sanitized builds.

 runtime error: unsigned integer overflow: 11 - 35 cannot be represented
 in type 'unsigned long'

This doesn't cause a problem because strlcpy stops on the null in
TMP_FILE_PATTERN, and localTmpFileName is defined large enough to
contain TMP_FILE_PATTERN.

This changes the size argument to the remaining length in the buffer,
and removes an extraneous '/' write as TMP_FILE_PATTERN already begins
with '/'.

Bug: 30969751
Test: Reran CTS test which triggered the overflow.

Change-Id: I20b5deeaaa1a863324dfd1d94f3135920eae48d3
Merged-In: I20b5deeaaa1a863324dfd1d94f3135920eae48d2
(cherry picked from commit 62fc14894b32f35641ae2b61ef7ed054c9660288)
---
 core/jni/com_android_internal_content_NativeLibraryHelper.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
index fce5dd58d7f9..685df0f33391 100644
--- a/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
+++ b/core/jni/com_android_internal_content_NativeLibraryHelper.cpp
@@ -236,17 +236,15 @@ copyFileIfChanged(JNIEnv *env, void* arg, ZipFileRO* zipFile, ZipEntryRO zipEntr
         return INSTALL_SUCCEEDED;
     }
 
-    char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 2];
+    char localTmpFileName[nativeLibPath.size() + TMP_FILE_PATTERN_LEN + 1];
     if (strlcpy(localTmpFileName, nativeLibPath.c_str(), sizeof(localTmpFileName))
             != nativeLibPath.size()) {
         ALOGD("Couldn't allocate local file name for library");
         return INSTALL_FAILED_INTERNAL_ERROR;
     }
 
-    *(localTmpFileName + nativeLibPath.size()) = '/';
-
     if (strlcpy(localTmpFileName + nativeLibPath.size(), TMP_FILE_PATTERN,
-                    TMP_FILE_PATTERN_LEN - nativeLibPath.size()) != TMP_FILE_PATTERN_LEN) {
+                    TMP_FILE_PATTERN_LEN + 1) != TMP_FILE_PATTERN_LEN) {
         ALOGI("Couldn't allocate temporary file name for library");
         return INSTALL_FAILED_INTERNAL_ERROR;
     }
-- 
2.11.0