fix: prevent metadata offset overflow into array space and convert sh…

…orts to uints before addition
NativeScript · Sep 30, 2024 · 9cfc349 · 9cfc349
1 parent a184875
commit 9cfc349
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Writer.java b/test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Writer.java
@@ -305,7 +305,7 @@ public void writeTree(TreeNode root) throws Exception {
         outStringsStream.close();
         writeInt(0, outValueStream);
 
-        final int array_offset = 1000 * 1000 * 1000;
+        final int array_offset = Integer.MAX_VALUE; // 2147483647, which is half of uint32
 
         d.push(root);
         while (!d.isEmpty()) {
@@ -328,6 +328,10 @@ public void writeTree(TreeNode root) throws Exception {
                 throw new Exception("should not happen");
             }
 
+            if ((n.nodeType & TreeNode.Array) != TreeNode.Array && Integer.toUnsignedLong(n.offsetValue) >= Integer.toUnsignedLong(array_offset)) {
+                throw new Exception("Non-array metadata has overflown array space. Please report this issue.");
+            }
+
             d.addAll(n.children);
         }
 
@@ -339,7 +343,7 @@ public void writeTree(TreeNode root) throws Exception {
             TreeNode n = d.pollFirst();
 
             if (n.arrayElement != null) {
-                n.offsetValue = array_offset + n.arrayElement.id;
+                n.offsetValue = array_offset + Short.toUnsignedInt(n.arrayElement.id);
             }
 
             if (!n.children.isEmpty()) {
@@ -387,6 +391,8 @@ public void writeTree(TreeNode root) throws Exception {
                 obj.addProperty("id", Short.toUnsignedInt(n.id));
                 obj.addProperty("nextSiblingId", Short.toUnsignedInt(n.nextSiblingId));
                 obj.addProperty("firstChildId", Short.toUnsignedInt(n.firstChildId));
+                obj.addProperty("offsetName", Integer.toUnsignedLong(n.offsetName));
+                obj.addProperty("offsetValue", Integer.toUnsignedLong(n.offsetValue));
                 obj.addProperty("name", n.getName());
                 obj.addProperty("nodeType", n.nodeType);
                 rootArray.add(obj);

diff --git a/test-app/runtime/src/main/cpp/MetadataReader.h b/test-app/runtime/src/main/cpp/MetadataReader.h
@@ -167,7 +167,7 @@ class MetadataReader {
 
     private:
 
-        static const uint32_t ARRAY_OFFSET = 1000000000;
+        static const uint32_t ARRAY_OFFSET = INT32_MAX; // 2147483647
 
         MetadataTreeNode* BuildTree();