From e15d7a5104978cd8399501636aec0df9c1a4823c Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Thu, 7 Sep 2017 13:38:51 -0700
Subject: ui: Manage menu_ with std::vector.

Prior to this CL, menu_ is allocated with a fixed length of text_rows_.
However, because we support scrollable menu in wear_ui, there might be
more menu entries than text_rows_, which would lead to out-of-bounds
array access. This CL addresses the issue by switching to std::vector.

Bug: 65416558
Test: Run 'View recovery logs' on angler.
Test: Set large margin height that leaves text_rows less than 21. Then
      run 'View recovery logs' with 21 menu entries.
Change-Id: I5d4e3a0a097039e1104eda7d494c6269053dc894
---
 wear_ui.cpp | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'wear_ui.cpp')

diff --git a/wear_ui.cpp b/wear_ui.cpp
index 670050a0b..edc39cfb4 100644
--- a/wear_ui.cpp
+++ b/wear_ui.cpp
@@ -127,11 +127,11 @@ void WearRecoveryUI::draw_screen_locked() {
           // white text of selected item
           SetColor(MENU_SEL_FG);
           if (menu_[i][0]) {
-            gr_text(gr_sys_font(), x + 4, y, menu_[i], 1);
+            gr_text(gr_sys_font(), x + 4, y, menu_[i].c_str(), 1);
           }
           SetColor(MENU);
         } else if (menu_[i][0]) {
-          gr_text(gr_sys_font(), x + 4, y, menu_[i], 0);
+          gr_text(gr_sys_font(), x + 4, y, menu_[i].c_str(), 0);
         }
         y += char_height_ + 4;
       }
@@ -199,17 +199,16 @@ void WearRecoveryUI::StartMenu(const char* const* headers, const char* const* it
   pthread_mutex_lock(&updateMutex);
   if (text_rows_ > 0 && text_cols_ > 0) {
     menu_headers_ = headers;
-    size_t i = 0;
+    menu_.clear();
     // "i < text_rows_" is removed from the loop termination condition,
     // which is different from the one in ScreenRecoveryUI::StartMenu().
     // Because WearRecoveryUI supports scrollable menu, it's fine to have
     // more entries than text_rows_. The menu may be truncated otherwise.
     // Bug: 23752519
-    for (; items[i] != nullptr; i++) {
-      strncpy(menu_[i], items[i], text_cols_ - 1);
-      menu_[i][text_cols_ - 1] = '\0';
+    for (size_t i = 0; items[i] != nullptr; i++) {
+      menu_.emplace_back(std::string(items[i], strnlen(items[i], text_cols_ - 1)));
     }
-    menu_items = i;
+    menu_items = static_cast<int>(menu_.size());
     show_menu = true;
     menu_sel = initial_selection;
     menu_start = 0;
-- 
cgit v1.2.3