Avoid a buffer overrun in GET_NORMALIZED_STRING.

This custom SQL function uses a fixed buffer of
128 characters and would overrun the buffer if
passed a longer src string.

Also, fix another problem with the function
where it was using the incorrect value for
next_codepoint. It was reading from the
destination array not the source array.

Bug: 2089658

1 files changed, 3 insertions, 3 deletions

diff --git a/android/PhoneticStringUtils.cpp b/android/PhoneticStringUtils.cpp
index da5767f..cf85cb8 100644
--- a/android/PhoneticStringUtils.cpp
+++ b/android/PhoneticStringUtils.cpp
@@ -292,7 +292,7 @@ static bool GetExpectedString(
         src = STR_FOR_NULL_STR;
     }
 
-    char32_t codepoints[MAX_CODEPOINTS];
+    char32_t codepoints[MAX_CODEPOINTS]; // if array size is changed the for loop needs to be changed
 
     size_t src_len = utf8_length(src);
     if (src_len == 0) {
@@ -300,7 +300,7 @@ static bool GetExpectedString(
     }
     bool next_is_consumed;
     size_t j = 0;
-    for (size_t i = 0; i < src_len;) {
+    for (size_t i = 0; i < src_len && j < MAX_CODEPOINTS;) {
         int32_t ret = utf32_at(src, src_len, i, &i);
         if (ret < 0) {
             // failed to parse UTF-8
@@ -308,7 +308,7 @@ static bool GetExpectedString(
         }
         ret = get_codepoint_function(
                 static_cast<char32_t>(ret),
-                i + 1 < src_len ? codepoints[i + 1] : 0,
+                i + 1 < src_len ? src[i + 1] : 0,
                 &next_is_consumed);
         if (ret > 0) {
             codepoints[j] = static_cast<char32_t>(ret);