am 3fe9adc9: Merge "Fix write past end of memory." into lmp-dev

* commit '3fe9adc932948da8993d3f812bce1875efc47c0e':
  Fix write past end of memory.
This commit is contained in:
Christopher Ferris 2014-10-08 05:12:00 +00:00 committed by Android Git Automerger
commit 6f7fd39536

View file

@ -31,7 +31,7 @@ namespace android {
static const uint32_t blobCacheMagic = ('_' << 24) + ('B' << 16) + ('b' << 8) + '$';
// BlobCache::Header::mBlobCacheVersion value
static const uint32_t blobCacheVersion = 1;
static const uint32_t blobCacheVersion = 2;
// BlobCache::Header::mDeviceVersion value
static const uint32_t blobCacheDeviceVersion = 1;
@ -165,14 +165,13 @@ static inline size_t align4(size_t size) {
}
size_t BlobCache::getFlattenedSize() const {
size_t size = sizeof(Header);
size_t size = align4(sizeof(Header));
for (size_t i = 0; i < mCacheEntries.size(); i++) {
const CacheEntry& e(mCacheEntries[i]);
sp<Blob> keyBlob = e.getKey();
sp<Blob> valueBlob = e.getValue();
size = align4(size);
size += sizeof(EntryHeader) + keyBlob->getSize() +
valueBlob->getSize();
size += align4(sizeof(EntryHeader) + keyBlob->getSize() +
valueBlob->getSize());
}
return size;
}
@ -200,7 +199,8 @@ status_t BlobCache::flatten(void* buffer, size_t size) const {
size_t valueSize = valueBlob->getSize();
size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
if (byteOffset + entrySize > size) {
size_t totalSize = align4(entrySize);
if (byteOffset + totalSize > size) {
ALOGE("flatten: not enough room for cache entries");
return BAD_VALUE;
}
@ -213,7 +213,6 @@ status_t BlobCache::flatten(void* buffer, size_t size) const {
memcpy(eheader->mData, keyBlob->getData(), keySize);
memcpy(eheader->mData + keySize, valueBlob->getData(), valueSize);
size_t totalSize = align4(entrySize);
if (totalSize > entrySize) {
// We have padding bytes. Those will get written to storage, and contribute to the CRC,
// so make sure we zero-them to have reproducible results.
@ -263,7 +262,8 @@ status_t BlobCache::unflatten(void const* buffer, size_t size) {
size_t valueSize = eheader->mValueSize;
size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
if (byteOffset + entrySize > size) {
size_t totalSize = align4(entrySize);
if (byteOffset + totalSize > size) {
mCacheEntries.clear();
ALOGE("unflatten: not enough room for cache entry headers");
return BAD_VALUE;
@ -272,7 +272,7 @@ status_t BlobCache::unflatten(void const* buffer, size_t size) {
const uint8_t* data = eheader->mData;
set(data, keySize, data + keySize, valueSize);
byteOffset += align4(entrySize);
byteOffset += totalSize;
}
return OK;