Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / b4a561541614567dcc8fec4ea87e2c05a347375f^1..b4a561541614567dcc8fec4ea87e2c05a347375f / .
commitb4a561541614567dcc8fec4ea87e2c05a347375f[log] [tgz]
authorDavid Christie <dnchrist@google.com>Thu Aug 11 18:33:15 2016 +0000
committerandroid-build-merger <android-build-merger@google.com>Thu Aug 11 18:33:15 2016 +0000
tree43e3b02ce9d42f2d462671a2dcc749106b2599a8
parentf645010092b5489db87afbb0129dc953f249734b [diff]
parent3462e52676c700743899b34496b13412612d1346 [diff]
Fix vulnerability where large GPS XTRA data can be injected. -Can potentially crash system with OOM. Bug: 29555864 am: dde12c6923
am: 3462e52676

Change-Id: I45779f683b417fe2d3cd4f7702d07a9cd13bd6f0

diff --git a/services/core/java/com/android/server/location/GpsXtraDownloader.java b/services/core/java/com/android/server/location/GpsXtraDownloader.java
index e420073..fdd9c49 100644
--- a/services/core/java/com/android/server/location/GpsXtraDownloader.java
+++ b/services/core/java/com/android/server/location/GpsXtraDownloader.java

@@ -44,6 +44,7 @@
 
     private static final String TAG = "GpsXtraDownloader";
     static final boolean DEBUG = false;
+    private static final long MAXIMUM_CONTENT_LENGTH_BYTES = 1000000;  // 1MB.
     
     private Context mContext;
     private String[] mXtraServers;
@@ -138,8 +139,9 @@
             byte[] body = null;
             if (entity != null) {
                 try {
-                    if (entity.getContentLength() > 0) {
-                        body = new byte[(int) entity.getContentLength()];
+                    long contentLength = entity.getContentLength();
+                    if (contentLength > 0 && contentLength <= MAXIMUM_CONTENT_LENGTH_BYTES) {
+                        body = new byte[(int) contentLength];
                         DataInputStream dis = new DataInputStream(entity.getContent());
                         try {
                             dis.readFully(body);