-
Samuel Huang authored
This CL is similar to: https://chromium-review.googlesource.com/1133688 BufferRegion::FitsIn() (and BufferViewBase::covers()) decides whether a BufferRegion fits inside a buffer. A special case is whether an empty region fits at the end of a buffer? Previously this was considered to be a pathological case, so the result is "false". However, this led to a DCHECK failure found by the DEX fuzzer: a CodeItem with insns_size = 0 is checked against an empty buffer. It may seem straightforward to change the DCHECK to a handled failure. However, the failing code (in CodeItemParser::GetCodeItemInsns()) occurs after CodeItem have been supposedly validated, so the DCHECK is correctly placed! Two causes are: (1) Technically insns_size should be > 0, as dictated by constraint A1 ("The insns array mus tnot be empty") in Dalvik spec. (2) The FitsIn() check is too stringent. This CL focuses on relaxing (2). This makes checking slightly more permissive elsewhere in code (patch_reader.cc and Win32 disassembler), but this looks like the right thing to do. As for (1), we plan to visit https://source.android.com/devices/tech/dalvik/constraints and implement more rigorous checks. So we simply add a TODO for now. Bug: 863478 Change-Id: Iacbb2bb9bf26701db960192c7b727351ea5afdec Reviewed-on: https://chromium-review.googlesource.com/1142517Reviewed-by:
agrieve <agrieve@chromium.org> Reviewed-by:
Samuel Huang <huangs@chromium.org> Commit-Queue: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#576482}
2b31de16
