Fix clang-analyzer-security warnings for RenderScript

Replace unsafe strcpy and strcat with bounded strlcpy and strlcat. Bug: 32511607 Test: mma, cts, vts Change-Id: I92bc8142f82eaf78f4465bf061871cad864c53b8
author: Michael Butler <butlermichael@google.com> 2017-04-19 18:47:55 -0700
committer: Michael Butler <butlermichael@google.com> 2017-04-20 16:01:08 -0700
commit: ca451c3280b6265a9b79273b4bf89e121a050cab (patch)
tree: 8830ef5cc93e61b60cd1a0ee8b7324e8dcd5df6e
parent: 8467325c6d80de30bb86b7665cc41dff0c276e8d (diff)
download: rs-ca451c3280b6265a9b79273b4bf89e121a050cab.tar.gz
4 files changed, 22 insertions, 14 deletions
diff --git a/cpu_ref/rsCpuCore.cpp b/cpu_ref/rsCpuCore.cpp
index 43e45218..f4f9c4c9 100644
--- a/cpu_ref/rsCpuCore.cpp
+++ b/cpu_ref/rsCpuCore.cpp
@@ -483,7 +483,7 @@ static const int kFormatInBytesMax = 16;
 // ": " + 2 digits per byte + 1 separator between bytes + "..." + null
 typedef char FormatBuf[2 + kFormatInBytesMax*2 + (kFormatInBytesMax - 1) + 3 + 1];
 static const char *format_bytes(FormatBuf *outBuf, const uint8_t *inBuf, const int inBytes) {
-  strcpy(*outBuf, ": ");
+  strlcpy(*outBuf, ": ", sizeof(FormatBuf));
   int pos = 2;
   const int lim = std::min(kFormatInBytesMax, inBytes);
   for (int i = 0; i < lim; ++i) {
@@ -495,7 +495,7 @@ static const char *format_bytes(FormatBuf *outBuf, const uint8_t *inBuf, const i
     pos += 2;
   }
   if (kFormatInBytesMax < inBytes)
-    strcpy(*outBuf + pos, "...");
+    strlcpy(*outBuf + pos, "...", sizeof(FormatBuf) - pos);
   return *outBuf;
 }
 
diff --git a/cpu_ref/rsCpuExecutable.cpp b/cpu_ref/rsCpuExecutable.cpp
index 91d93556..fbc34935 100644
--- a/cpu_ref/rsCpuExecutable.cpp
+++ b/cpu_ref/rsCpuExecutable.cpp
@@ -299,6 +299,18 @@ static char* strgets(char *s, int size, const char **ppstr) {
     return s;
 }
 
+// Creates a duplicate of a string. The new string is as small as possible,
+// only including characters up to and including the first null-terminator;
+// otherwise, the new string will be the same size as the input string.
+// The code that calls duplicateString is responsible for the new string's
+// lifetime, and is responsible for freeing it when it is no longer needed.
+static char* duplicateString(const char *str, size_t length) {
+    const size_t newLen = strnlen(str, length-1) + 1;
+    char *newStr = new char[newLen];
+    strlcpy(newStr, str, newLen);
+    return newStr;
+}
+
 ScriptExecutable* ScriptExecutable::createFromSharedObject(
     void* sharedObj, uint32_t expectedChecksum) {
     char line[MAXLINE];
@@ -369,8 +381,7 @@ ScriptExecutable* ScriptExecutable::createFromSharedObject(
         }
         fieldAddress[i] = addr;
         fieldIsObject[i] = false;
-        fieldName[i] = new char[strlen(line)+1];
-        strcpy(fieldName[i], line);
+        fieldName[i] = duplicateString(line, sizeof(line));
     }
 
     if (strgets(line, MAXLINE, &rsInfo) == nullptr) {
@@ -623,13 +634,8 @@ ScriptExecutable* ScriptExecutable::createFromSharedObject(
             goto error;
         }
 
-        char *pKey = new char[strlen(key)+1];
-        strcpy(pKey, key);
-        pragmaKeys[i] = pKey;
-
-        char *pValue = new char[strlen(value)+1];
-        strcpy(pValue, value);
-        pragmaValues[i] = pValue;
+        pragmaKeys[i] = duplicateString(key, sizeof(key));
+        pragmaValues[i] = duplicateString(value, sizeof(value));
         //ALOGE("Pragma %zu: Key: '%s' Value: '%s'", i, pKey, pValue);
     }
 
diff --git a/rsFont.cpp b/rsFont.cpp
index b3c6c17c..f204f597 100644
--- a/rsFont.cpp
+++ b/rsFont.cpp
@@ -26,6 +26,7 @@
 #include FT_FREETYPE_H
 #include FT_BITMAP_H
 #endif //ANDROID_RS_SERIALIZE
+#include <string.h>
 
 namespace android {
 namespace renderscript {
@@ -754,8 +755,8 @@ void FontState::renderText(const char *text, uint32_t len, int32_t x, int32_t y,
             char fullPath[1024];
             const char * root = getenv("ANDROID_ROOT");
             rsAssert(strlen(root) < 256);
-            strcpy(fullPath, root);
-            strcat(fullPath, "/fonts/Roboto-Regular.ttf");
+            strlcpy(fullPath, root, sizeof(fullPath));
+            strlcat(fullPath, "/fonts/Roboto-Regular.ttf", sizeof(fullPath));
             mDefault.set(Font::create(mRSC, fullPath, 8, mRSC->getDPI()));
         }
         currentFont = mDefault.get();
diff --git a/rsg_generator.c b/rsg_generator.c
index d6655723..5d307708 100644
--- a/rsg_generator.c
+++ b/rsg_generator.c
@@ -120,7 +120,8 @@ void printFuncDecl(FILE *f, const ApiEntry *api, const char *prefix, int addCont
     printVarTypeAndName(f, &api->ret);
     if (isFnPtr) {
         char t[1024];
-        strcpy(t, api->name);
+        strncpy(t, api->name, sizeof(t)-1);
+        t[sizeof(t)-1] = '\0';
         if (strlen(prefix) == 0) {
             if (t[0] > 'A' && t[0] < 'Z') {
                 t[0] -= 'A' - 'a';
author	Michael Butler <butlermichael@google.com>	2017-04-19 18:47:55 -0700
committer	Michael Butler <butlermichael@google.com>	2017-04-20 16:01:08 -0700
commit	ca451c3280b6265a9b79273b4bf89e121a050cab (patch)
tree	8830ef5cc93e61b60cd1a0ee8b7324e8dcd5df6e
parent	8467325c6d80de30bb86b7665cc41dff0c276e8d (diff)
download	rs-ca451c3280b6265a9b79273b4bf89e121a050cab.tar.gz