From e15d7a5104978cd8399501636aec0df9c1a4823c Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Thu, 7 Sep 2017 13:38:51 -0700 Subject: ui: Manage menu_ with std::vector. Prior to this CL, menu_ is allocated with a fixed length of text_rows_. However, because we support scrollable menu in wear_ui, there might be more menu entries than text_rows_, which would lead to out-of-bounds array access. This CL addresses the issue by switching to std::vector. Bug: 65416558 Test: Run 'View recovery logs' on angler. Test: Set large margin height that leaves text_rows less than 21. Then run 'View recovery logs' with 21 menu entries. Change-Id: I5d4e3a0a097039e1104eda7d494c6269053dc894 --- screen_ui.cpp | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'screen_ui.cpp') diff --git a/screen_ui.cpp b/screen_ui.cpp index 5c93b6672..b8f6ea28b 100644 --- a/screen_ui.cpp +++ b/screen_ui.cpp @@ -69,7 +69,7 @@ ScreenRecoveryUI::ScreenRecoveryUI() text_top_(0), show_text(false), show_text_ever(false), - menu_(nullptr), + menu_headers_(nullptr), show_menu(false), menu_items(0), menu_sel(0), @@ -356,10 +356,10 @@ void ScreenRecoveryUI::draw_screen_locked() { DrawHighlightBar(0, y - 2, gr_fb_width(), char_height_ + 4); // Bold white text for the selected item. SetColor(MENU_SEL_FG); - y += DrawTextLine(x, y, menu_[i], true); + y += DrawTextLine(x, y, menu_[i].c_str(), true); SetColor(MENU); } else { - y += DrawTextLine(x, y, menu_[i], false); + y += DrawTextLine(x, y, menu_[i].c_str(), false); } } y += DrawHorizontalRule(y); @@ -508,7 +508,6 @@ bool ScreenRecoveryUI::Init(const std::string& locale) { text_ = Alloc2d(text_rows_, text_cols_ + 1); file_viewer_text_ = Alloc2d(text_rows_, text_cols_ + 1); - menu_ = Alloc2d(text_rows_, text_cols_ + 1); text_col_ = text_row_ = 0; text_top_ = 1; @@ -771,12 +770,11 @@ void ScreenRecoveryUI::StartMenu(const char* const* headers, const char* const* pthread_mutex_lock(&updateMutex); if (text_rows_ > 0 && text_cols_ > 0) { menu_headers_ = headers; - size_t i = 0; - for (; i < text_rows_ && items[i] != nullptr; ++i) { - strncpy(menu_[i], items[i], text_cols_ - 1); - menu_[i][text_cols_ - 1] = '\0'; + menu_.clear(); + for (size_t i = 0; i < text_rows_ && items[i] != nullptr; ++i) { + menu_.emplace_back(std::string(items[i], strnlen(items[i], text_cols_ - 1))); } - menu_items = i; + menu_items = static_cast(menu_.size()); show_menu = true; menu_sel = initial_selection; update_screen_locked(); -- cgit v1.2.3