Add tests for security vulnerability CVE-2016-0718 am: ec40d6fe am:...

Add tests for security vulnerability CVE-2016-0718 am: ec40d6fe am: 1ab7224f am: 549143a3 am: a38bf83c am: 52ac1089 am: 47e32c35 am: e6dfd2f1 * commit 'e6dfd2f1': Add tests for security vulnerability CVE-2016-0718 Change-Id: I9ca86393c6ecf9fa1677298c0906f6f933919fca

Add tests for security vulnerability CVE-2016-0718 am: ec40d6fe am:...
Add tests for security vulnerability CVE-2016-0718 am: ec40d6fe am: 1ab7224f am: 549143a3 am: a38bf83c am: 52ac1089 am: 47e32c35 am: e6dfd2f1 * commit 'e6dfd2f1': Add tests for security vulnerability CVE-2016-0718 Change-Id: I9ca86393c6ecf9fa1677298c0906f6f933919fca
5b8e6731 · Paul Duffin · android-build-merger · bdedf741 · e6dfd2f1 · 5b8e6731
Commit 5b8e6731 authored 9 years ago by Paul Duffin Committed by android-build-merger 9 years ago
4 changed files
--- a/luni/src/test/java/libcore/xml/ExpatSaxParserTest.java
+++ b/luni/src/test/java/libcore/xml/ExpatSaxParserTest.java
@@ -36,6 +36,7 @@ import org.xml.sax.ContentHandler;
 import org.xml.sax.InputSource;
 import org.xml.sax.Locator;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.ext.DefaultHandler2;
 import org.xml.sax.helpers.DefaultHandler;
@@ -624,6 +625,54 @@ public class ExpatSaxParserTest extends TestCase {
        assertEquals(Arrays.asList("foo", "bar", "/bar", "/foo"), handler.elementNames);
    }

+    /**
+     * A little endian UTF-16 file with an odd number of bytes.
+     */
+    public void testBug28698301_1() throws Exception {
+        checkBug28698301("bug28698301-1.xml");
+    }
+
+    /**
+     * A little endian UTF-16 file with an even number of bytes that didn't exhibit the problem
+     * reported in the bug.
+     */
+    public void testBug28698301_2() throws Exception {
+        checkBug28698301("bug28698301-2.xml");
+    }
+
+    /**
+     * A big endian UTF-16 file with an odd number of bytes.
+     */
+    public void testBug28698301_3() throws Exception {
+        checkBug28698301("bug28698301-3.xml");
+    }
+
+    /**
+     * This tests what happens when UTF-16 input (little and big endian) that has an odd number of
+     * bytes (and hence is invalid UTF-16) is parsed by Expat.
+     *
+     * <p>Prior to the patch the files would cause the pointer into the byte buffer to jump past
+     * the end of the buffer and keep reading. Once it had jumped past it would continue reading
+     * from memory until it hit a check that caused it to stop or caused a SIGSEGV. If a SIGSEGV
+     * was not thrown that lead to spurious and misleading errors being reported.
+     *
+     * <p>The initial jump was caused because it was not checking to make sure that there were
+     * enough bytes to read a whole UTF-16 character. It kept reading because most of the buffer
+     * range checks used == and != rather than >= and <. The patch fixes the initial jump and then
+     * uses inequalities in the range check to fail fast in the event of another overflow bug.
+     */
+    private void checkBug28698301(String name) throws IOException, SAXException {
+        InputStream is = getClass().getResourceAsStream(name);
+        try {
+            parse(is, Encoding.UTF_16, new TestHandler());
+        } catch (SAXParseException exception) {
+            String message = exception.getMessage();
+            if (!message.contains("no element found")) {
+                fail("Expected 'no element found' exception, found: " + message);
+            }
+        }
+    }
+
    /**
     * Parses the given xml string and fires events on the given SAX handler.
     */

--- a/luni/src/test/resources/libcore/xml/bug28698301-1.xml
+++ b/luni/src/test/resources/libcore/xml/bug28698301-1.xml
 B<?xml version="1.0"?>
--- a/luni/src/test/resources/libcore/xml/bug28698301-2.xml
+++ b/luni/src/test/resources/libcore/xml/bug28698301-2.xml
 B<?xml version="1.0"?>
--- a/luni/src/test/resources/libcore/xml/bug28698301-3.xml
+++ b/luni/src/test/resources/libcore/xml/bug28698301-3.xml
 B<?xml version="1.0"?>