diff --git a/build-tools/Java.Interop.BootstrapTasks/Java.Interop.BootstrapTasks/DownloadUri.cs b/build-tools/Java.Interop.BootstrapTasks/Java.Interop.BootstrapTasks/DownloadUri.cs index 879f2ddcc..da65dc003 100644 --- a/build-tools/Java.Interop.BootstrapTasks/Java.Interop.BootstrapTasks/DownloadUri.cs +++ b/build-tools/Java.Interop.BootstrapTasks/Java.Interop.BootstrapTasks/DownloadUri.cs @@ -41,7 +41,10 @@ public override bool Execute () } var tasks = new TTask [SourceUris.Length]; - using (var client = new HttpClient ()) { + var handler = new HttpClientHandler { + CheckCertificateRevocationList = true, + }; + using (var client = new HttpClient (handler)) { client.Timeout = TimeSpan.FromHours (3); for (int i = 0; i < SourceUris.Length; ++i) { tasks [i] = DownloadFile (client, SourceUris [i], DestinationFiles [i].ItemSpec); diff --git a/src/java-interop/java-interop-util.cc b/src/java-interop/java-interop-util.cc index 39b14a7a0..d80f22249 100644 --- a/src/java-interop/java-interop-util.cc +++ b/src/java-interop/java-interop-util.cc @@ -7,12 +7,21 @@ char* utf16_to_utf8 (const wchar_t *widestr) { int required_size = WideCharToMultiByte (CP_UTF8, 0, widestr, -1, NULL, 0, NULL, NULL); + if (required_size <= 0) { + return nullptr; + } + char *mbstr = static_cast (calloc (required_size, sizeof (char))); - int converted_size = WideCharToMultiByte (CP_UTF8, 0, widestr, -1, mbstr, required_size, NULL, NULL); + if (mbstr == nullptr) { + return nullptr; + } - // Hush a compiler warning about unused variable in RELEASE - (void)converted_size; + int converted_size = WideCharToMultiByte (CP_UTF8, 0, widestr, -1, mbstr, required_size, NULL, NULL); assert (converted_size == required_size); + if (required_size != converted_size) { + free (mbstr); + return nullptr; + } return mbstr; } @@ -21,12 +30,21 @@ wchar_t* utf8_to_utf16 (const char *mbstr) { int required_chars = MultiByteToWideChar (CP_UTF8, 0, mbstr, -1, NULL, 0); + if (required_chars <= 0) { + return nullptr; + } + wchar_t *widestr = static_cast (calloc (required_chars, sizeof (wchar_t))); - int converted_chars = MultiByteToWideChar (CP_UTF8, 0, mbstr, -1, widestr, required_chars); + if (widestr == nullptr) { + return nullptr; + } - // Hush a compiler warning about unused variable in RELEASE - (void)converted_chars; + int converted_chars = MultiByteToWideChar (CP_UTF8, 0, mbstr, -1, widestr, required_chars); assert (converted_chars == required_chars); + if (required_chars != converted_chars) { + free (widestr); + return nullptr; + } return widestr; } diff --git a/tools/java-source-utils/src/main/java/com/microsoft/android/JavaSourceUtilsOptions.java b/tools/java-source-utils/src/main/java/com/microsoft/android/JavaSourceUtilsOptions.java index 13a3520ff..418635176 100644 --- a/tools/java-source-utils/src/main/java/com/microsoft/android/JavaSourceUtilsOptions.java +++ b/tools/java-source-utils/src/main/java/com/microsoft/android/JavaSourceUtilsOptions.java @@ -167,7 +167,7 @@ private final JavaSourceUtilsOptions parse(Iterator args) throws IOExcep final String bootClassPath = getNextOptionValue(args, arg); final ArrayList files = new ArrayList(); for (final String cp : bootClassPath.split(File.pathSeparator)) { - final File file = new File(cp); + final File file = new File(cp); // lgtm [java/path-injection-local] if (!file.exists()) { System.err.println(App.APP_NAME + ": warning: invalid file path for option `-bootclasspath`: " + cp); continue; @@ -253,7 +253,7 @@ private final JavaSourceUtilsOptions parse(Iterator args) throws IOExcep if (arg.startsWith("@")) { // response file? final String responseFileName = arg.substring(1); - final File responseFile = new File(responseFileName); + final File responseFile = new File(responseFileName); // lgtm [java/path-injection-local] if (responseFile.exists()) { final Iterator lines = Files.readAllLines(responseFile.toPath()) @@ -267,7 +267,7 @@ private final JavaSourceUtilsOptions parse(Iterator args) throws IOExcep break; } } - final File file = new File(arg); + final File file = new File(arg); // lgtm [java/path-injection-local] if (!file.exists()) { System.err.println(App.APP_NAME + ": warning: invalid file path for option `FILES`: " + arg); break; @@ -319,6 +319,9 @@ private static void extractTo(final File zipFilePath, final File toDir, final Co if (!entry.getName().endsWith(".java")) continue; final File target = new File(toDir, entry.getName()); + if (!target.toPath().normalize().startsWith(toDir.toPath())) { + throw new Error("Bad zip entry: " + zipFilePath + "!" + entry.getName()); + } if (verboseOutput) { System.out.println ("# creating file: " + target.getAbsolutePath()); } @@ -343,7 +346,7 @@ static File getNextOptionFile(final Iterator args, final String option) throw new IllegalArgumentException( "Expected required value for option `" + option + "`."); final String fileName = args.next(); - final File file = new File(fileName); + final File file = new File(fileName); // lgtm [java/path-injection-local] if (!file.exists()) { System.err.println(App.APP_NAME + ": warning: invalid file path for option `" + option + "`: " + fileName); return null; diff --git a/tools/java-source-utils/src/main/java/com/microsoft/android/JavadocXmlGenerator.java b/tools/java-source-utils/src/main/java/com/microsoft/android/JavadocXmlGenerator.java index 7b379c99e..21f3f6251 100644 --- a/tools/java-source-utils/src/main/java/com/microsoft/android/JavadocXmlGenerator.java +++ b/tools/java-source-utils/src/main/java/com/microsoft/android/JavadocXmlGenerator.java @@ -39,7 +39,7 @@ public JavadocXmlGenerator(final String output) throws FileNotFoundException, Pa if (output == null) this.output = System.out; else { - final File file = new File(output); + final File file = new File(output); // lgtm [java/path-injection-local] final File parent = file.getParentFile(); if (parent != null) { parent.mkdirs();