From cc6719f08251a892e435f8d9d44e9d8fa18d7cbe Mon Sep 17 00:00:00 2001
From: Jeff Hamilton <jham@android.com>
Date: Tue, 1 Sep 2009 00:29:12 -0500
Subject: Avoid a buffer overrun in GET_NORMALIZED_STRING.

This custom SQL function uses a fixed buffer of
128 characters and would overrun the buffer if
passed a longer src string.

Also, fix another problem with the function
where it was using the incorrect value for
next_codepoint. It was reading from the
destination array not the source array.

Bug: 2089658
---
 android/PhoneticStringUtils.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'android/PhoneticStringUtils.cpp')

diff --git a/android/PhoneticStringUtils.cpp b/android/PhoneticStringUtils.cpp
index da5767f..cf85cb8 100644
--- a/android/PhoneticStringUtils.cpp
+++ b/android/PhoneticStringUtils.cpp
@@ -292,7 +292,7 @@ static bool GetExpectedString(
         src = STR_FOR_NULL_STR;
     }
 
-    char32_t codepoints[MAX_CODEPOINTS];
+    char32_t codepoints[MAX_CODEPOINTS]; // if array size is changed the for loop needs to be changed
 
     size_t src_len = utf8_length(src);
     if (src_len == 0) {
@@ -300,7 +300,7 @@ static bool GetExpectedString(
     }
     bool next_is_consumed;
     size_t j = 0;
-    for (size_t i = 0; i < src_len;) {
+    for (size_t i = 0; i < src_len && j < MAX_CODEPOINTS;) {
         int32_t ret = utf32_at(src, src_len, i, &i);
         if (ret < 0) {
             // failed to parse UTF-8
@@ -308,7 +308,7 @@ static bool GetExpectedString(
         }
         ret = get_codepoint_function(
                 static_cast<char32_t>(ret),
-                i + 1 < src_len ? codepoints[i + 1] : 0,
+                i + 1 < src_len ? src[i + 1] : 0,
                 &next_is_consumed);
         if (ret > 0) {
             codepoints[j] = static_cast<char32_t>(ret);
-- 
cgit v1.2.3