Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core_old / b57122a0a601e7ee0f938d5fe777fda3a2feb87e^1..b57122a0a601e7ee0f938d5fe777fda3a2feb87e / .
commitb57122a0a601e7ee0f938d5fe777fda3a2feb87e[log] [tgz]
authorChristopher Ferris <cferris@google.com>Tue Oct 07 23:23:17 2014 +0000
committerAndroid Git Automerger <android-git-automerger@android.com>Tue Oct 07 23:23:17 2014 +0000
treec6f403188eeee061fe5d7adde642d3a0ef931944
parent5fab164ab02af26f3bff5949568068f72f14ba7b [diff]
parent3fe9adc932948da8993d3f812bce1875efc47c0e [diff]
am 3fe9adc9: Merge "Fix write past end of memory." into lmp-dev

* commit '3fe9adc932948da8993d3f812bce1875efc47c0e':
  Fix write past end of memory.

diff --git a/libutils/BlobCache.cpp b/libutils/BlobCache.cpp
index 8edb401..0ea09cf 100644
--- a/libutils/BlobCache.cpp
+++ b/libutils/BlobCache.cpp

@@ -31,7 +31,7 @@
 static const uint32_t blobCacheMagic = ('_' << 24) + ('B' << 16) + ('b' << 8) + '$';
 
 // BlobCache::Header::mBlobCacheVersion value
-static const uint32_t blobCacheVersion = 1;
+static const uint32_t blobCacheVersion = 2;
 
 // BlobCache::Header::mDeviceVersion value
 static const uint32_t blobCacheDeviceVersion = 1;
@@ -165,14 +165,13 @@
 }
 
 size_t BlobCache::getFlattenedSize() const {
-    size_t size = sizeof(Header);
+    size_t size = align4(sizeof(Header));
     for (size_t i = 0; i < mCacheEntries.size(); i++) {
         const CacheEntry& e(mCacheEntries[i]);
         sp<Blob> keyBlob = e.getKey();
         sp<Blob> valueBlob = e.getValue();
-        size = align4(size);
-        size += sizeof(EntryHeader) + keyBlob->getSize() +
-                valueBlob->getSize();
+        size += align4(sizeof(EntryHeader) + keyBlob->getSize() +
+                       valueBlob->getSize());
     }
     return size;
 }
@@ -200,7 +199,8 @@
         size_t valueSize = valueBlob->getSize();
 
         size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
-        if (byteOffset + entrySize > size) {
+        size_t totalSize = align4(entrySize);
+        if (byteOffset + totalSize > size) {
             ALOGE("flatten: not enough room for cache entries");
             return BAD_VALUE;
         }
@@ -213,7 +213,6 @@
         memcpy(eheader->mData, keyBlob->getData(), keySize);
         memcpy(eheader->mData + keySize, valueBlob->getData(), valueSize);
 
-        size_t totalSize = align4(entrySize);
         if (totalSize > entrySize) {
             // We have padding bytes. Those will get written to storage, and contribute to the CRC,
             // so make sure we zero-them to have reproducible results.
@@ -263,7 +262,8 @@
         size_t valueSize = eheader->mValueSize;
         size_t entrySize = sizeof(EntryHeader) + keySize + valueSize;
 
-        if (byteOffset + entrySize > size) {
+        size_t totalSize = align4(entrySize);
+        if (byteOffset + totalSize > size) {
             mCacheEntries.clear();
             ALOGE("unflatten: not enough room for cache entry headers");
             return BAD_VALUE;
@@ -272,7 +272,7 @@
         const uint8_t* data = eheader->mData;
         set(data, keySize, data + keySize, valueSize);
 
-        byteOffset += align4(entrySize);
+        byteOffset += totalSize;
     }
 
     return OK;