From 53a1aa5ed5894f5bf5c0bc5119c8509a03ab686d Mon Sep 17 00:00:00 2001
From: Kevin Tang <zhikait@codeaurora.org>
Date: Fri, 8 Dec 2017 18:18:03 -0800
Subject: [PATCH] Fixed incorrect casting for SystemStatus::setNetworkInfo call

An incorrect casting at SystemStatus::eventDataItemNotify was causing a
heap overflow when trying to cast NetworkInfoDataItem into
SystemStatusNetworkInfo, that is bigger.

Change-Id: I3fbd88a1daf210c3c687a6f49ad868968a6efd96
CRs-fixed: 2137958
---
 core/SystemStatus.cpp | 100 +++++++++++++++++++++---------------------
 core/SystemStatus.h   |  55 ++++++++++++++++++++---
 2 files changed, 100 insertions(+), 55 deletions(-)

diff --git a/core/SystemStatus.cpp b/core/SystemStatus.cpp
index 8954a719..9e8f1e17 100644
--- a/core/SystemStatus.cpp
+++ b/core/SystemStatus.cpp
@@ -1301,12 +1301,11 @@ SystemStatus::SystemStatus(const MsgTask* msgTask) :
 /******************************************************************************
  SystemStatus - storing dataitems
 ******************************************************************************/
-bool SystemStatus::setNetworkInfo(const SystemStatusNetworkInfo& s)
+template <typename TYPE_SYSTEMSTATUS_ITEM, typename TYPE_REPORT, typename TYPE_ITEMBASE>
+bool SystemStatus::setItemBaseinReport(TYPE_REPORT& report, const TYPE_ITEMBASE& s)
 {
-    mConnected = s.mConnected;
-    SystemStatusNetworkInfo sout = s;
-    sout.mType = s.getType();
-    return setIteminReport(mCache.mNetworkInfo, sout);
+    TYPE_SYSTEMSTATUS_ITEM sout(s);
+    return setIteminReport(report, sout);
 }
 
 template <typename TYPE_REPORT, typename TYPE_ITEM>
@@ -1451,93 +1450,94 @@ bool SystemStatus::eventDataItemNotify(IDataItemCore* dataitem)
     switch(dataitem->getId())
     {
         case AIRPLANEMODE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mAirplaneMode,
-                    *(static_cast<SystemStatusAirplaneMode*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusAirplaneMode>(mCache.mAirplaneMode,
+                    *(static_cast<AirplaneModeDataItemBase*>(dataitem)));
             break;
         case ENH_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mENH,
-                    *(static_cast<SystemStatusENH*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusENH>(mCache.mENH,
+                    *(static_cast<ENHDataItemBase*>(dataitem)));
             break;
         case GPSSTATE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mGPSState,
-                    *(static_cast<SystemStatusGpsState*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusGpsState>(mCache.mGPSState,
+                    *(static_cast<GPSStateDataItemBase*>(dataitem)));
             break;
         case NLPSTATUS_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mNLPStatus,
-                    *(static_cast<SystemStatusNLPStatus*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusNLPStatus>(mCache.mNLPStatus,
+                    *(static_cast<NLPStatusDataItemBase*>(dataitem)));
             break;
         case WIFIHARDWARESTATE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mWifiHardwareState,
-                    *(static_cast<SystemStatusWifiHardwareState*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusWifiHardwareState>(mCache.mWifiHardwareState,
+                    *(static_cast<WifiHardwareStateDataItemBase*>(dataitem)));
             break;
         case NETWORKINFO_DATA_ITEM_ID:
-            // need special handling for this item to map emums
-            ret = setNetworkInfo(
-                    *(static_cast<SystemStatusNetworkInfo*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusNetworkInfo>(mCache.mNetworkInfo,
+                    *(static_cast<NetworkInfoDataItemBase*>(dataitem)));
             break;
         case RILSERVICEINFO_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mRilServiceInfo,
-                    *(static_cast<SystemStatusServiceInfo*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusServiceInfo>(mCache.mRilServiceInfo,
+                    *(static_cast<RilServiceInfoDataItemBase*>(dataitem)));
             break;
         case RILCELLINFO_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mRilCellInfo,
-                    *(static_cast<SystemStatusRilCellInfo*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusRilCellInfo>(mCache.mRilCellInfo,
+                    *(static_cast<RilCellInfoDataItemBase*>(dataitem)));
             break;
         case SERVICESTATUS_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mServiceStatus,
-                    *(static_cast<SystemStatusServiceStatus*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusServiceStatus>(mCache.mServiceStatus,
+                    *(static_cast<ServiceStatusDataItemBase*>(dataitem)));
             break;
         case MODEL_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mModel,
-                    *(static_cast<SystemStatusModel*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusModel>(mCache.mModel,
+                    *(static_cast<ModelDataItemBase*>(dataitem)));
             break;
         case MANUFACTURER_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mManufacturer,
-                    *(static_cast<SystemStatusManufacturer*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusManufacturer>(mCache.mManufacturer,
+                    *(static_cast<ManufacturerDataItemBase*>(dataitem)));
             break;
         case ASSISTED_GPS_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mAssistedGps,
-                    *(static_cast<SystemStatusAssistedGps*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusAssistedGps>(mCache.mAssistedGps,
+                    *(static_cast<AssistedGpsDataItemBase*>(dataitem)));
             break;
         case SCREEN_STATE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mScreenState,
-                    *(static_cast<SystemStatusScreenState*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusScreenState>(mCache.mScreenState,
+                    *(static_cast<ScreenStateDataItemBase*>(dataitem)));
             break;
         case POWER_CONNECTED_STATE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mPowerConnectState,
-                    *(static_cast<SystemStatusPowerConnectState*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusPowerConnectState>(mCache.mPowerConnectState,
+                    *(static_cast<PowerConnectStateDataItemBase*>(dataitem)));
             break;
         case TIMEZONE_CHANGE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mTimeZoneChange,
-                    *(static_cast<SystemStatusTimeZoneChange*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusTimeZoneChange>(mCache.mTimeZoneChange,
+                    *(static_cast<TimeZoneChangeDataItemBase*>(dataitem)));
             break;
         case TIME_CHANGE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mTimeChange,
-                    *(static_cast<SystemStatusTimeChange*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusTimeChange>(mCache.mTimeChange,
+                    *(static_cast<TimeChangeDataItemBase*>(dataitem)));
             break;
         case WIFI_SUPPLICANT_STATUS_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mWifiSupplicantStatus,
-                    *(static_cast<SystemStatusWifiSupplicantStatus*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusWifiSupplicantStatus>(
+                    mCache.mWifiSupplicantStatus,
+                    *(static_cast<WifiSupplicantStatusDataItemBase*>(dataitem)));
             break;
         case SHUTDOWN_STATE_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mShutdownState,
-                    *(static_cast<SystemStatusShutdownState*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusShutdownState>(mCache.mShutdownState,
+                    *(static_cast<ShutdownStateDataItemBase*>(dataitem)));
             break;
         case TAC_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mTac,
-                    *(static_cast<SystemStatusTac*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusTac>(mCache.mTac,
+                    *(static_cast<TacDataItemBase*>(dataitem)));
             break;
         case MCCMNC_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mMccMnc,
-                    *(static_cast<SystemStatusMccMnc*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusMccMnc>(mCache.mMccMnc,
+                    *(static_cast<MccmncDataItemBase*>(dataitem)));
             break;
         case BTLE_SCAN_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mBtDeviceScanDetail,
-                    *(static_cast<SystemStatusBtDeviceScanDetail*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusBtDeviceScanDetail>(mCache.mBtDeviceScanDetail,
+                    *(static_cast<BtDeviceScanDetailsDataItemBase*>(dataitem)));
             break;
         case BT_SCAN_DATA_ITEM_ID:
-            ret = setIteminReport(mCache.mBtLeDeviceScanDetail,
-                    *(static_cast<SystemStatusBtleDeviceScanDetail*>(dataitem)));
+            ret = setItemBaseinReport<SystemStatusBtleDeviceScanDetail>(
+                    mCache.mBtLeDeviceScanDetail,
+                    *(static_cast<BtLeDeviceScanDetailsDataItemBase*>(dataitem)));
             break;
         default:
             break;
diff --git a/core/SystemStatus.h b/core/SystemStatus.h
index 0c9b4b9d..ae6c3e1d 100644
--- a/core/SystemStatus.h
+++ b/core/SystemStatus.h
@@ -391,6 +391,8 @@ class SystemStatusAirplaneMode : public SystemStatusItemBase,
 public:
     inline SystemStatusAirplaneMode(bool mode=false) :
             AirplaneModeDataItemBase(mode) {}
+    inline SystemStatusAirplaneMode(const AirplaneModeDataItemBase& itemBase) :
+            AirplaneModeDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusAirplaneMode& peer) {
         return (mMode == peer.mMode);
     }
@@ -402,6 +404,8 @@ class SystemStatusENH : public SystemStatusItemBase,
 public:
     inline SystemStatusENH(bool enabled=false) :
             ENHDataItemBase(enabled) {}
+    inline SystemStatusENH(const ENHDataItemBase& itemBase) :
+            ENHDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusENH& peer) {
         return (mEnabled == peer.mEnabled);
     }
@@ -413,6 +417,8 @@ class SystemStatusGpsState : public SystemStatusItemBase,
 public:
     inline SystemStatusGpsState(bool enabled=false) :
             GPSStateDataItemBase(enabled) {}
+    inline SystemStatusGpsState(const GPSStateDataItemBase& itemBase) :
+            GPSStateDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusGpsState& peer) {
         return (mEnabled == peer.mEnabled);
     }
@@ -427,6 +433,8 @@ class SystemStatusNLPStatus : public SystemStatusItemBase,
 public:
     inline SystemStatusNLPStatus(bool enabled=false) :
             NLPStatusDataItemBase(enabled) {}
+    inline SystemStatusNLPStatus(const NLPStatusDataItemBase& itemBase) :
+            NLPStatusDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusNLPStatus& peer) {
         return (mEnabled == peer.mEnabled);
     }
@@ -438,6 +446,8 @@ class SystemStatusWifiHardwareState : public SystemStatusItemBase,
 public:
     inline SystemStatusWifiHardwareState(bool enabled=false) :
             WifiHardwareStateDataItemBase(enabled) {}
+    inline SystemStatusWifiHardwareState(const WifiHardwareStateDataItemBase& itemBase) :
+            WifiHardwareStateDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusWifiHardwareState& peer) {
         return (mEnabled == peer.mEnabled);
     }
@@ -461,6 +471,10 @@ public:
                     available,
                     connected,
                     roaming) {}
+    inline SystemStatusNetworkInfo(const NetworkInfoDataItemBase& itemBase) :
+            NetworkInfoDataItemBase(itemBase) {
+        mType = itemBase.getType();
+    }
     inline bool equals(const SystemStatusNetworkInfo& peer) {
         if ((mType == peer.mType) &&
             (mTypeName == peer.mTypeName) &&
@@ -470,8 +484,8 @@ public:
             (mRoaming == peer.mRoaming)) {
             return true;
         }
-            return false;
-        }
+        return false;
+    }
     inline void dump(void) override {
         LOC_LOGD("NetworkInfo: type=%u connected=%u", mType, mConnected);
     }
@@ -483,6 +497,8 @@ class SystemStatusServiceInfo : public SystemStatusItemBase,
 public:
     inline SystemStatusServiceInfo() :
             RilServiceInfoDataItemBase() {}
+    inline SystemStatusServiceInfo(const RilServiceInfoDataItemBase& itemBase) :
+            RilServiceInfoDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusServiceInfo& /*peer*/) {
         return true;
     }
@@ -494,6 +510,8 @@ class SystemStatusRilCellInfo : public SystemStatusItemBase,
 public:
     inline SystemStatusRilCellInfo() :
             RilCellInfoDataItemBase() {}
+    inline SystemStatusRilCellInfo(const RilCellInfoDataItemBase& itemBase) :
+            RilCellInfoDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusRilCellInfo& /*peer*/) {
         return true;
     }
@@ -505,6 +523,8 @@ class SystemStatusServiceStatus : public SystemStatusItemBase,
 public:
     inline SystemStatusServiceStatus(int32_t mServiceState=0) :
             ServiceStatusDataItemBase(mServiceState) {}
+    inline SystemStatusServiceStatus(const ServiceStatusDataItemBase& itemBase) :
+            ServiceStatusDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusServiceStatus& peer) {
         return (mServiceState == peer.mServiceState);
     }
@@ -516,6 +536,8 @@ class SystemStatusModel : public SystemStatusItemBase,
 public:
     inline SystemStatusModel(string name="") :
             ModelDataItemBase(name) {}
+    inline SystemStatusModel(const ModelDataItemBase& itemBase) :
+            ModelDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusModel& peer) {
         return (mModel == peer.mModel);
         }
@@ -527,6 +549,8 @@ class SystemStatusManufacturer : public SystemStatusItemBase,
 public:
     inline SystemStatusManufacturer(string name="") :
             ManufacturerDataItemBase(name) {}
+    inline SystemStatusManufacturer(const ManufacturerDataItemBase& itemBase) :
+            ManufacturerDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusManufacturer& peer) {
         return (mManufacturer == peer.mManufacturer);
     }
@@ -538,6 +562,8 @@ class SystemStatusAssistedGps : public SystemStatusItemBase,
 public:
     inline SystemStatusAssistedGps(bool enabled=false) :
             AssistedGpsDataItemBase(enabled) {}
+    inline SystemStatusAssistedGps(const AssistedGpsDataItemBase& itemBase) :
+            AssistedGpsDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusAssistedGps& peer) {
         return (mEnabled == peer.mEnabled);
     }
@@ -549,6 +575,8 @@ class SystemStatusScreenState : public SystemStatusItemBase,
 public:
     inline SystemStatusScreenState(bool state=false) :
             ScreenStateDataItemBase(state) {}
+    inline SystemStatusScreenState(const ScreenStateDataItemBase& itemBase) :
+            ScreenStateDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusScreenState& peer) {
         return (mState == peer.mState);
     }
@@ -560,6 +588,8 @@ class SystemStatusPowerConnectState : public SystemStatusItemBase,
 public:
     inline SystemStatusPowerConnectState(bool state=false) :
             PowerConnectStateDataItemBase(state) {}
+    inline SystemStatusPowerConnectState(const PowerConnectStateDataItemBase& itemBase) :
+            PowerConnectStateDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusPowerConnectState& peer) {
         return (mState == peer.mState);
     }
@@ -572,6 +602,8 @@ public:
     inline SystemStatusTimeZoneChange(
             int64_t currTimeMillis=0ULL, int32_t rawOffset=0, int32_t dstOffset=0) :
             TimeZoneChangeDataItemBase(currTimeMillis, rawOffset, dstOffset) {}
+    inline SystemStatusTimeZoneChange(const TimeZoneChangeDataItemBase& itemBase) :
+            TimeZoneChangeDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusTimeZoneChange& peer) {
         return ((mCurrTimeMillis == peer.mCurrTimeMillis) &&
                 (mRawOffsetTZ == peer.mRawOffsetTZ) &&
@@ -586,6 +618,8 @@ public:
     inline SystemStatusTimeChange(
             int64_t currTimeMillis=0ULL, int32_t rawOffset=0, int32_t dstOffset=0) :
             TimeChangeDataItemBase(currTimeMillis, rawOffset, dstOffset) {}
+    inline SystemStatusTimeChange(const TimeChangeDataItemBase& itemBase) :
+            TimeChangeDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusTimeChange& peer) {
         return ((mCurrTimeMillis == peer.mCurrTimeMillis) &&
                 (mRawOffsetTZ == peer.mRawOffsetTZ) &&
@@ -599,6 +633,8 @@ class SystemStatusWifiSupplicantStatus : public SystemStatusItemBase,
 public:
     inline SystemStatusWifiSupplicantStatus() :
             WifiSupplicantStatusDataItemBase() {}
+    inline SystemStatusWifiSupplicantStatus(const WifiSupplicantStatusDataItemBase& itemBase) :
+            WifiSupplicantStatusDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusWifiSupplicantStatus& peer) {
         return ((mState == peer.mState) &&
                 (mApMacAddressValid == peer.mApMacAddressValid) &&
@@ -613,6 +649,8 @@ class SystemStatusShutdownState : public SystemStatusItemBase,
 public:
     inline SystemStatusShutdownState(bool state=false) :
             ShutdownStateDataItemBase(state) {}
+    inline SystemStatusShutdownState(const ShutdownStateDataItemBase& itemBase) :
+            ShutdownStateDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusShutdownState& peer) {
         return (mState == peer.mState);
     }
@@ -624,7 +662,8 @@ class SystemStatusTac : public SystemStatusItemBase,
 public:
     inline SystemStatusTac(std::string value="") :
             TacDataItemBase(value) {}
-
+    inline SystemStatusTac(const TacDataItemBase& itemBase) :
+            TacDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusTac& peer) {
         return (mValue == peer.mValue);
     }
@@ -639,6 +678,8 @@ class SystemStatusMccMnc : public SystemStatusItemBase,
 public:
     inline SystemStatusMccMnc(std::string value="") :
             MccmncDataItemBase(value) {}
+    inline SystemStatusMccMnc(const MccmncDataItemBase& itemBase) :
+            MccmncDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusMccMnc& peer) {
         return (mValue == peer.mValue);
     }
@@ -653,6 +694,8 @@ class SystemStatusBtDeviceScanDetail : public SystemStatusItemBase,
 public:
     inline SystemStatusBtDeviceScanDetail() :
             BtDeviceScanDetailsDataItemBase() {}
+    inline SystemStatusBtDeviceScanDetail(const BtDeviceScanDetailsDataItemBase& itemBase) :
+            BtDeviceScanDetailsDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusBtDeviceScanDetail& /*peer*/) {
         return true;
     }
@@ -664,6 +707,8 @@ class SystemStatusBtleDeviceScanDetail : public SystemStatusItemBase,
 public:
     inline SystemStatusBtleDeviceScanDetail() :
             BtLeDeviceScanDetailsDataItemBase() {}
+    inline SystemStatusBtleDeviceScanDetail(const BtLeDeviceScanDetailsDataItemBase& itemBase) :
+            BtLeDeviceScanDetailsDataItemBase(itemBase) {}
     inline bool equals(const SystemStatusBtleDeviceScanDetail& /*peer*/) {
         return true;
     }
@@ -739,8 +784,8 @@ private:
     SystemStatusReports mCache;
     bool mConnected;
 
-    // set dataitem derived item in report cache
-    bool setNetworkInfo(const SystemStatusNetworkInfo& s);
+    template <typename TYPE_SYSTEMSTATUS_ITEM, typename TYPE_REPORT, typename TYPE_ITEMBASE>
+    bool setItemBaseinReport(TYPE_REPORT& report, const TYPE_ITEMBASE& s);
 
     template <typename TYPE_REPORT, typename TYPE_ITEM>
     bool setIteminReport(TYPE_REPORT& report, const TYPE_ITEM& s);