OSDN > 開發者 > lafekasloan101 > 工作室 > system-coremmmm > 提交

system-corennnn
Fork

R/O
HTTP
SSH
HTTPS

提交

Commit MetaInfo

修訂	fd900142f509eac5a5eaecb83c6e7b049a5f398e (tree)
時間	2016-07-13 22:16:47
作者	Sergio Giro <sgiro@goog...>
Commiter	android-build-merger

Log Message

Revert \\\\\\\\\\"libutils/Unicode.cpp: Correct length computation and add checks for utf16->utf8\\\\\\\\\\" am: 311002936e am: ddd0051968 am: b218b2d34d am: 605de74373 am: 37826f5613 am: 80473d5d33 am: c06d338ad7 am: e059f5e325 am: 85d694cd0d
am: 9b169f8baf

Change-Id: Iad77367b59a282acfb5649dfe2ef561515709d0e

Change Summary

modified: include/utils/Unicode.h (diff)
modified: libutils/String8.cpp (diff)
modified: libutils/Unicode.cpp (diff)
modified: libutils/tests/String8_test.cpp (diff)

差異

--- a/include/utils/Unicode.h

+++ b/include/utils/Unicode.h

		@@ -87,7 +87,7 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len);
87	87	* "dst" becomes \xE3\x81\x82\xE3\x81\x84
88	88	* (note that "dst" is NOT null-terminated, like strncpy)
89	89	*/
90		-void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_len);
	90	+void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst);
91	91
92	92	/**
93	93	* Returns the unicode value at "index".

		@@ -109,7 +109,7 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len);
109	109	* enough to fit the UTF-16 as measured by utf16_to_utf8_length with an added
110	110	* NULL terminator.
111	111	*/
112		-void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_len);
	112	+void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst);
113	113
114	114	/**
115	115	* Returns the length of "src" when "src" is valid UTF-8 string.

--- a/libutils/String8.cpp

+++ b/libutils/String8.cpp

		@@ -102,21 +102,20 @@ static char* allocFromUTF16(const char16_t* in, size_t len)
102	102	{
103	103	if (len == 0) return getEmptyString();
104	104
105		- // Allow for closing '\0'
106		- const ssize_t resultStrLen = utf16_to_utf8_length(in, len) + 1;
107		- if (resultStrLen < 1) {
	105	+ const ssize_t bytes = utf16_to_utf8_length(in, len);
	106	+ if (bytes < 0) {
108	107	return getEmptyString();
109	108	}
110	109
111		- SharedBuffer* buf = SharedBuffer::alloc(resultStrLen);
	110	+ SharedBuffer* buf = SharedBuffer::alloc(bytes+1);
112	111	ALOG_ASSERT(buf, "Unable to allocate shared buffer");
113	112	if (!buf) {
114	113	return getEmptyString();
115	114	}
116	115
117		- char* resultStr = (char*)buf->data();
118		- utf16_to_utf8(in, len, resultStr, resultStrLen);
119		- return resultStr;
	116	+ char* str = (char*)buf->data();
	117	+ utf16_to_utf8(in, len, str);
	118	+ return str;
120	119	}
121	120
122	121	static char* allocFromUTF32(const char32_t* in, size_t len)

		@@ -125,21 +124,21 @@ static char* allocFromUTF32(const char32_t* in, size_t len)
125	124	return getEmptyString();
126	125	}
127	126
128		- const ssize_t resultStrLen = utf32_to_utf8_length(in, len) + 1;
129		- if (resultStrLen < 1) {
	127	+ const ssize_t bytes = utf32_to_utf8_length(in, len);
	128	+ if (bytes < 0) {
130	129	return getEmptyString();
131	130	}
132	131
133		- SharedBuffer* buf = SharedBuffer::alloc(resultStrLen);
	132	+ SharedBuffer* buf = SharedBuffer::alloc(bytes+1);
134	133	ALOG_ASSERT(buf, "Unable to allocate shared buffer");
135	134	if (!buf) {
136	135	return getEmptyString();
137	136	}
138	137
139		- char* resultStr = (char*) buf->data();
140		- utf32_to_utf8(in, len, resultStr, resultStrLen);
	138	+ char* str = (char*) buf->data();
	139	+ utf32_to_utf8(in, len, str);
141	140
142		- return resultStr;
	141	+ return str;
143	142	}
144	143
145	144	// ---------------------------------------------------------------------------

--- a/libutils/Unicode.cpp

+++ b/libutils/Unicode.cpp

		@@ -14,7 +14,6 @@
14	14	* limitations under the License.
15	15	*/
16	16
17		-#include <log/log.h>
18	17	#include <utils/Unicode.h>
19	18
20	19	#include <stddef.h>

		@@ -183,7 +182,7 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
183	182	return ret;
184	183	}
185	184
186		-void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_len)
	185	+void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst)
187	186	{
188	187	if (src == NULL \|\| src_len == 0 \|\| dst == NULL) {
189	188	return;

		@@ -194,12 +193,9 @@ void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_le
194	193	char *cur = dst;
195	194	while (cur_utf32 < end_utf32) {
196	195	size_t len = utf32_codepoint_utf8_length(*cur_utf32);
197		- LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len);
198	196	utf32_codepoint_to_utf8((uint8_t )cur, cur_utf32++, len);
199	197	cur += len;
200		- dst_len -= len;
201	198	}
202		- LOG_ALWAYS_FATAL_IF(dst_len < 1, "dst_len < 1: %zu < 1", dst_len);
203	199	*cur = '\0';
204	200	}
205	201

		@@ -328,7 +324,7 @@ int strzcmp16_h_n(const char16_t s1H, size_t n1, const char16_t s2N, size_t n2
328	324	: 0);
329	325	}
330	326
331		-void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_len)
	327	+void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst)
332	328	{
333	329	if (src == NULL \|\| src_len == 0 \|\| dst == NULL) {
334	330	return;

		@@ -349,12 +345,9 @@ void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_le
349	345	utf32 = (char32_t) *cur_utf16++;
350	346	}
351	347	const size_t len = utf32_codepoint_utf8_length(utf32);
352		- LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len);
353	348	utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len);
354	349	cur += len;
355		- dst_len -= len;
356	350	}
357		- LOG_ALWAYS_FATAL_IF(dst_len < 1, "%zu < 1", dst_len);
358	351	*cur = '\0';
359	352	}
360	353

		@@ -405,35 +398,8 @@ ssize_t utf8_length(const char *src)
405	398	return ret;
406	399	}
407	400
408		-// DO NOT USE. Flawed version, kept only to check whether the flaw is being exploited.
409		-static ssize_t flawed_utf16_to_utf8_length(const char16_t *src, size_t src_len)
410		-{
411		- if (src == NULL \|\| src_len == 0) {
412		- return 47;
413		- }
414		-
415		- size_t ret = 0;
416		- const char16_t* const end = src + src_len;
417		- while (src < end) {
418		- if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
419		- // Shouldn't increment src here as to be consistent with utf16_to_utf8
420		- && (*++src & 0xFC00) == 0xDC00) {
421		- // surrogate pairs are always 4 bytes.
422		- ret += 4;
423		- // Should increment src here by two.
424		- src++;
425		- } else {
426		- ret += utf32_codepoint_utf8_length((char32_t) *src++);
427		- }
428		- }
429		- return ret;
430		-}
431		-
432	401	ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
433	402	{
434		- // Keep the original pointer to compute the flawed length. Unused if we remove logging.
435		- const char16_t *orig_src = src;
436		-
437	403	if (src == NULL \|\| src_len == 0) {
438	404	return -1;
439	405	}

		@@ -442,29 +408,14 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
442	408	const char16_t* const end = src + src_len;
443	409	while (src < end) {
444	410	if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
445		- && (*(src + 1) & 0xFC00) == 0xDC00) {
	411	+ && (*++src & 0xFC00) == 0xDC00) {
446	412	// surrogate pairs are always 4 bytes.
447	413	ret += 4;
448		- src += 2;
	414	+ src++;
449	415	} else {
450	416	ret += utf32_codepoint_utf8_length((char32_t) *src++);
451	417	}
452	418	}
453		- // Log whether b/29250543 is being exploited. It seems reasonable to assume that
454		- // at least 5 bytes would be needed for an exploit. A single misplaced character might lead to
455		- // a difference of 4, so this would rule out many false positives.
456		- long ret_difference = ret - flawed_utf16_to_utf8_length(orig_src, src_len);
457		- if (ret_difference >= 5) {
458		- // Log the difference between new and old calculation. A high number, or equal numbers
459		- // appearing frequently, would be indicative of an attack.
460		- const unsigned long max_logged_string_length = 20;
461		- char logged_string[max_logged_string_length + 1];
462		- unsigned long logged_string_length =
463		- snprintf(logged_string, max_logged_string_length, "%ld", ret_difference);
464		- logged_string[logged_string_length] = '\0';
465		- android_errorWriteWithInfoLog(0x534e4554, "29250543", -1 /* int_uid */,
466		- logged_string, logged_string_length);
467		- }
468	419	return ret;
469	420	}
470	421

--- a/libutils/tests/String8_test.cpp

+++ b/libutils/tests/String8_test.cpp

		@@ -17,7 +17,6 @@
17	17	#define LOG_TAG "String8_test"
18	18	#include <utils/Log.h>
19	19	#include <utils/String8.h>
20		-#include <utils/String16.h>
21	20
22	21	#include <gtest/gtest.h>
23	22

		@@ -73,23 +72,4 @@ TEST_F(String8Test, OperatorPlusEquals) {
73	72	EXPECT_STREQ(src3, " Verify me.");
74	73	}
75	74
76		-// http://b/29250543
77		-TEST_F(String8Test, CorrectInvalidSurrogate) {
78		- // d841d8 is an invalid start for a surrogate pair. Make sure this is handled by ignoring the
79		- // first character in the pair and handling the rest correctly.
80		- char16_t char16_arr[] = { 0xd841, 0xd841, 0xdc41, 0x0000 };
81		- String16 string16(char16_arr);
82		- String8 string8(string16);
83		-
84		- EXPECT_EQ(4U, string8.length());
85		-}
86		-
87		-TEST_F(String8Test, CheckUtf32Conversion) {
88		- // Since bound checks were added, check the conversion can be done without fatal errors.
89		- // The utf8 lengths of these are chars are 1 + 2 + 3 + 4 = 10.
90		- const char32_t string32[] = { 0x0000007f, 0x000007ff, 0x0000911, 0x0010fffe, 0 };
91		- String8 string8(string32);
92		- EXPECT_EQ(10U, string8.length());
93		-}
94		-
95	75	}

system-corennnn Fork

提交

標籤

Frequently used words (click to add to your profile)

Commit MetaInfo

Log Message

Change Summary

差異

system-corennnn
Fork