Ensure that we never trigger ArrayIndexOutOfBoundsException by checking that
the index is always < the array's length. Also ensures that the object's
state is consistent. Should resolve a denial-of-service bug when handling
malformed WAP pushes.
diff --git a/telephony/java/com/android/internal/telephony/WspTypeDecoder.java b/telephony/java/com/android/internal/telephony/WspTypeDecoder.java
index 2984fa8..3bbe0e1 100644
--- a/telephony/java/com/android/internal/telephony/WspTypeDecoder.java
+++ b/telephony/java/com/android/internal/telephony/WspTypeDecoder.java
@@ -187,22 +187,30 @@
}
/**
- * Decode the "Extension-media" type for WSP pdu
- *
- * @param startIndex The starting position of the "Extension-media" in this pdu
- *
- * @return false when error(not a Extension-media) occur
- * return value can be retrieved by getValueString() method
- * length of data in pdu can be retrieved by getValue32() method
- */
+ * Decode the "Extension-media" type for WSP PDU.
+ *
+ * @param startIndex The starting position of the "Extension-media" in this PDU.
+ *
+ * @return false on error, such as if there is no Extension-media at startIndex.
+ * Side-effects: updates stringValue (available with getValueString()), which will be
+ * null on error. The length of the data in the PDU is available with getValue32(), 0
+ * on error.
+ */
public boolean decodeExtensionMedia(int startIndex) {
int index = startIndex;
- while (wspData[index] != 0) {
+ dataLength = 0;
+ stringValue = null;
+ int length = wspData.length;
+ boolean rtrn = index < length;
+
+ while (index < length && wspData[index] != 0) {
index++;
}
+
dataLength = index - startIndex + 1;
stringValue = new String(wspData, startIndex, dataLength - 1);
- return true;
+
+ return rtrn;
}
/**
