commit 74fa0010195f9e56efb37e4ad4e4033554447dbb
author android-build-team Robot <android-build-team-robot@google.com> Tue May 08 19:00:58 2018 +0000
committer android-build-team Robot <android-build-team-robot@google.com> Tue May 08 19:00:58 2018 +0000
tree b43916a3319f31a88b2067ffb83ad3560e0cd683
parent 1f56232eeb266696121cc78e7c81bfb3c8550a56
parent 75ffe6bf98aaf85fde96188ebb0c9aae7810f24b

Merge cherrypicks of [4025538, 4025981, 4025580, 4024762, 4024763, 4025174, 4026015, 4026016, 4025704, 4025983, 4025597, 4025986, 4025988, 4025990, 4024386, 4024387, 4024388, 4024389, 4024390, 4024391, 4024392, 4024766, 4026038, 4024767, 4026039, 4026040, 4026041, 4026042, 4026043, 4026044, 4026045, 4026046, 4026047, 4026048, 4025720] into sparse-4749909-L37000000170952244

Change-Id: Ie2729043aa789c33d62014bcc0c19246f828f5d9

src/java/com/android/internal/telephony/InboundSmsHandler.java

diff --git a/src/java/com/android/internal/telephony/InboundSmsHandler.java b/src/java/com/android/internal/telephony/InboundSmsHandler.java
index 2d663cd..99fd965 100644
--- a/src/java/com/android/internal/telephony/InboundSmsHandler.java
+++ b/src/java/com/android/internal/telephony/InboundSmsHandler.java
@@ -74,6 +74,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import android.util.EventLog;
 
 /**
  * This class broadcasts incoming SMS messages to interested apps after storing them in
@@ -803,6 +804,19 @@
         int destPort = tracker.getDestPort();
         boolean block = false;
 
+        // Do not process when the message count is invalid.
+        if (messageCount <= 0) {
+            EventLog.writeEvent(
+                    0x534e4554 /* snetTagId */,
+                    "72298611" /* buganizer id */,
+                    -1 /* uid */,
+                    String.format(
+                            "processMessagePart: invalid messageCount = %d",
+                            messageCount));
+
+            return false;
+        }
+
         if (messageCount == 1) {
             // single-part message
             pdus = new byte[][]{tracker.getPdu()};
@@ -838,6 +852,21 @@
                     int index = cursor.getInt(PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING
                             .get(SEQUENCE_COLUMN)) - tracker.getIndexOffset();
 
+                    // The invalid PDUs can be received and stored in the raw table. The range
+                    // check ensures the process not crash even if the seqNumber in the
+                    // UserDataHeader is invalid.
+                    if (index >= pdus.length || index < 0) {
+                        EventLog.writeEvent(
+                                0x534e4554 /* snetTagId */,
+                                "72298611" /* buganizer id */,
+                                -1 /* uid */,
+                                String.format(
+                                        "processMessagePart: invalid seqNumber = %d, messageCount = %d",
+                                        index + tracker.getIndexOffset(),
+                                        messageCount));
+                        continue;
+                    }
+
                     pdus[index] = HexDump.hexStringToByteArray(cursor.getString(
                             PDU_SEQUENCE_PORT_PROJECTION_INDEX_MAPPING.get(PDU_COLUMN)));