From ad4e0108a920f04d0ed81689b26c7afc1893fb57 Mon Sep 17 00:00:00 2001
From: Keisuke Kuroyanagi <ksk@google.com>
Date: Fri, 23 Aug 2013 19:55:55 +0900
Subject: [PATCH] Fix: reading uninitialized area.

Bug: 10402083
Change-Id: I083beea29fe563b1e7739653d756b77820753e3f
---
 .../dictionary/dynamic_patricia_trie_policy.cpp        | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_policy.cpp b/native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_policy.cpp
index 3000860a3a..11da039514 100644
--- a/native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_policy.cpp
+++ b/native/jni/src/suggest/policyimpl/dictionary/dynamic_patricia_trie_policy.cpp
@@ -126,7 +126,7 @@ int DynamicPatriciaTriePolicy::getTerminalNodePositionOfWord(const int *const in
     int pos = getRootPosition();
     DynamicPatriciaTrieNodeReader nodeReader(mDictRoot, getBigramsStructurePolicy(),
             getShortcutsStructurePolicy());
-    while (currentLength <= length) {
+    while (currentLength < length) {
         // When foundMatchedNode becomes true, currentLength is increased at least once.
         bool foundMatchedNode = false;
         int totalChildCount = 0;
@@ -144,13 +144,15 @@ int DynamicPatriciaTriePolicy::getTerminalNodePositionOfWord(const int *const in
             for (int i = 0; i < childCount; i++) {
                 nodeReader.fetchNodeInfoFromBufferAndGetNodeCodePoints(pos, MAX_WORD_LENGTH,
                         mergedNodeCodePoints);
-                if (nodeReader.isDeleted() || nodeReader.getCodePointCount() <= 0) {
+                const int nodeCodePointCount = nodeReader.getCodePointCount();
+                if (nodeReader.isDeleted() || nodeCodePointCount <= 0
+                        || currentLength + nodeCodePointCount > length) {
                     // Skip deleted or empty node.
                     pos = nodeReader.getSiblingNodePos();
                     continue;
                 }
                 bool matched = true;
-                for (int j = 0; j < nodeReader.getCodePointCount(); ++j) {
+                for (int j = 0; j < nodeCodePointCount; ++j) {
                     if (mergedNodeCodePoints[j] != searchCodePoints[currentLength + j]) {
                         // Different code point is found.
                         matched = false;
@@ -158,7 +160,7 @@ int DynamicPatriciaTriePolicy::getTerminalNodePositionOfWord(const int *const in
                     }
                 }
                 if (matched) {
-                    currentLength += nodeReader.getCodePointCount();
+                    currentLength += nodeCodePointCount;
                     if (length == currentLength) {
                         // Terminal position is found.
                         return nodeReader.getNodePos();
-- 
GitLab