Throw ArrayStoreException instead of corrupting the heap.
Protect against bad calls to SetObjectArrayElement. Found while debugging
a Chrome crash. (This will make Chrome fail at the point where it does the
invalid operation rather than later, but we already merged the fix upstream.)
Change-Id: Ie7b2238d99f2ee4dde46342eb77cfec0495a30e7
diff --git a/vm/Jni.cpp b/vm/Jni.cpp
index 6a5f5d0..8593505 100644
--- a/vm/Jni.cpp
+++ b/vm/Jni.cpp
@@ -2301,9 +2301,18 @@
return;
}
+ Object* obj = dvmDecodeIndirectRef(ts.self(), jobj);
+
+ if (obj != NULL && !dvmCanPutArrayElement(obj->clazz, arrayObj->clazz)) {
+ ALOGV("Can't put a '%s'(%p) into array type='%s'(%p)",
+ obj->clazz->descriptor, obj,
+ arrayObj->obj.clazz->descriptor, arrayObj);
+ dvmThrowArrayStoreExceptionIncompatibleElement(obj->clazz, arrayObj->clazz);
+ return;
+ }
+
//ALOGV("JNI: set element %d in array %p to %p", index, array, value);
- Object* obj = dvmDecodeIndirectRef(ts.self(), jobj);
dvmSetObjectArrayElement(arrayObj, index, obj);
}