Take precautions against ill-formed content URIs

* java/org/gnu/emacs/EmacsService.java (openContentUri)
(checkContentUri): Verify that URIs derived from user-provided
file names can be parsed before attempting to open them.

1 files changed, 17 insertions, 1 deletions

diff --git a/java/org/gnu/emacs/EmacsService.java b/java/org/gnu/emacs/EmacsService.java
index 77124a7d80f..7afe4c7f82e 100644
--- a/java/org/gnu/emacs/EmacsService.java
+++ b/java/org/gnu/emacs/EmacsService.java
@@ -987,6 +987,7 @@ public final class EmacsService extends Service
     String name, mode;
     ParcelFileDescriptor fd;
     int i;
+    Uri uriObject;
 
     /* Figure out the file access mode.  */
 
@@ -1001,12 +1002,20 @@ public final class EmacsService extends Service
     if (truncate)
       mode += "t";
 
+    /* Decode the URI.  It might be possible for a perverse user to
+       construct a content file name that Android finds unparsable, so
+       punt if the result is NULL.  */
+
+    uriObject = Uri.parse (uri);
+    if (uriObject == null)
+      return -1;
+
     /* Try to open a corresponding ParcelFileDescriptor.  Though
        `fd.detachFd' is exclusive to Honeycomb and up, this function is
        never called on systems older than KitKat, which is Emacs's
        minimum requirement for access to /content/by-authority.  */
 
-    fd = resolver.openFileDescriptor (Uri.parse (uri), mode);
+    fd = resolver.openFileDescriptor (uriObject, mode);
     if (fd == null)
       return -1;
 
@@ -1027,7 +1036,14 @@ public final class EmacsService extends Service
     Uri uri;
     int rc, flags;
 
+    /* Decode the URI.  It might be possible that perverse user should
+       construct a content file name that Android finds unparsable, so
+       punt if the result is NULL.  */
+
     uri = Uri.parse (name);
+    if (uri == null)
+      return false;
+
     flags = 0;
 
     if (readable)