fix: prevent metadata offset overflow into array space and convert shorts to uints before addition

edusperoni · edusperoni · commit 1a73f6ffbb4d · 2024-09-30T10:54:02.000-03:00
diff --git a/test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Writer.java b/test-app/build-tools/android-metadata-generator/src/src/com/telerik/metadata/Writer.java
@@ -305,7 +305,7 @@ public void writeTree(TreeNode root) throws Exception {
         outStringsStream.close();
         writeInt(0, outValueStream);
 
-        final int array_offset = 1000 * 1000 * 1000;
+        final int array_offset = Integer.MAX_VALUE; // 2147483647, which is half of uint32
 
         d.push(root);
         while (!d.isEmpty()) {
@@ -328,6 +328,10 @@ public void writeTree(TreeNode root) throws Exception {
                 throw new Exception("should not happen");
             }
 
+            if ((n.nodeType & TreeNode.Array) != TreeNode.Array && Integer.toUnsignedLong(n.offsetValue) >= Integer.toUnsignedLong(array_offset)) {
+                throw new Exception("Non-array metadata has overflown array space. Please report this issue.");
+            }
+
             d.addAll(n.children);
         }
 
@@ -339,7 +343,7 @@ public void writeTree(TreeNode root) throws Exception {
             TreeNode n = d.pollFirst();
 
             if (n.arrayElement != null) {
-                n.offsetValue = array_offset + n.arrayElement.id;
+                n.offsetValue = array_offset + Short.toUnsignedInt(n.arrayElement.id);
             }
 
             if (!n.children.isEmpty()) {
@@ -387,6 +391,8 @@ public void writeTree(TreeNode root) throws Exception {
                 obj.addProperty("id", Short.toUnsignedInt(n.id));
                 obj.addProperty("nextSiblingId", Short.toUnsignedInt(n.nextSiblingId));
                 obj.addProperty("firstChildId", Short.toUnsignedInt(n.firstChildId));
+                obj.addProperty("offsetName", Integer.toUnsignedLong(n.offsetName));
+                obj.addProperty("offsetValue", Integer.toUnsignedLong(n.offsetValue));
                 obj.addProperty("name", n.getName());
                 obj.addProperty("nodeType", n.nodeType);
                 rootArray.add(obj);
diff --git a/test-app/runtime/src/main/cpp/MetadataReader.h b/test-app/runtime/src/main/cpp/MetadataReader.h
@@ -167,7 +167,7 @@ class MetadataReader {
 
     private:
 
-        static const uint32_t ARRAY_OFFSET = 1000000000;
+        static const uint32_t ARRAY_OFFSET = INT32_MAX; // 2147483647
 
         MetadataTreeNode* BuildTree();
 
