Bounds check read and write path in native code.
Already checked in Java, but requested by security review.
Change-Id: I5314dbc32546278b977236a154fba03f38610b1a
diff --git a/core/jni/android_bluetooth_BluetoothSocket.cpp b/core/jni/android_bluetooth_BluetoothSocket.cpp
index 70d74d52..2532eff 100644
--- a/core/jni/android_bluetooth_BluetoothSocket.cpp
+++ b/core/jni/android_bluetooth_BluetoothSocket.cpp
@@ -402,7 +402,6 @@
return -1;
}
-/** jb must not be null. offset and offset+length must be within array */
static jint readNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
jint length) {
#ifdef HAVE_BLUETOOTH
@@ -410,10 +409,20 @@
int ret;
jbyte *b;
+ int sz;
struct asocket *s = get_socketData(env, obj);
if (!s)
return -1;
+ if (jb == NULL) {
+ jniThrowIOException(env, EINVAL);
+ return -1;
+ }
+ sz = env->GetArrayLength(jb);
+ if (offset < 0 || length < 0 || offset + length > sz) {
+ jniThrowIOException(env, EINVAL);
+ return -1;
+ }
b = env->GetByteArrayElements(jb, NULL);
if (b == NULL) {
@@ -436,7 +445,6 @@
return -1;
}
-/** jb must not be null. offset and offset+length must be within array */
static jint writeNative(JNIEnv *env, jobject obj, jbyteArray jb, jint offset,
jint length) {
#ifdef HAVE_BLUETOOTH
@@ -444,10 +452,20 @@
int ret;
jbyte *b;
+ int sz;
struct asocket *s = get_socketData(env, obj);
if (!s)
return -1;
+ if (jb == NULL) {
+ jniThrowIOException(env, EINVAL);
+ return -1;
+ }
+ sz = env->GetArrayLength(jb);
+ if (offset < 0 || length < 0 || offset + length > sz) {
+ jniThrowIOException(env, EINVAL);
+ return -1;
+ }
b = env->GetByteArrayElements(jb, NULL);
if (b == NULL) {
