Fix std::vector out-of-bounds access in Flutter Android JNI and Delegate#187218
Merged
Conversation
|
It looks like this pull request may not have tests. Please make sure to add tests or get an explicit test exemption before merging. If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix? Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. If you believe this PR qualifies for a test exemption, contact "@test-exemption-reviewer" in the #hackers channel in Discord (don't just cc them here, they won't see it!). The test exemption team is a small volunteer group, so all reviewers should feel empowered to ask for tests, without delegating that responsibility entirely to the test exemption group. |
Contributor
There was a problem hiding this comment.
Code Review
This pull request adds safety checks to ensure that operations on std::vector buffers are only performed when they are not empty, preventing potential undefined behavior or crashes. Feedback suggests using std::vector::data() instead of &vector[0] as a cleaner and safer, idiomatic C++ standard for obtaining pointers to the underlying array.
Comment on lines
+192
to
+193
| int32_t* buffer_int32 = reinterpret_cast<int32_t*>(&buffer[0]); | ||
| float* buffer_float32 = reinterpret_cast<float*>(&buffer[0]); |
Contributor
There was a problem hiding this comment.
Using std::vector::data() is the standard and idiomatic way to obtain a pointer to the underlying array in modern C++. It is cleaner and safer than using &vector[0].
Suggested change
| int32_t* buffer_int32 = reinterpret_cast<int32_t*>(&buffer[0]); | |
| float* buffer_float32 = reinterpret_cast<float*>(&buffer[0]); | |
| int32_t* buffer_int32 = reinterpret_cast<int32_t*>(buffer.data()); | |
| float* buffer_float32 = reinterpret_cast<float*>(buffer.data()); |
References
- The repository follows the Google C++ Style Guide, which encourages modern, safe, and idiomatic C++ practices. Using
std::vector::data()is preferred over&vector[0]as it is the standard way to access the underlying array and is safe even when the vector might be empty (returningnullptrinstead of causing undefined behavior). (link)
Comment on lines
+287
to
+288
| int32_t* actions_buffer_int32 = | ||
| reinterpret_cast<int32_t*>(&actions_buffer[0]); |
Contributor
There was a problem hiding this comment.
Using std::vector::data() is the standard and idiomatic way to obtain a pointer to the underlying array in modern C++. It is cleaner and safer than using &vector[0].
Suggested change
| int32_t* actions_buffer_int32 = | |
| reinterpret_cast<int32_t*>(&actions_buffer[0]); | |
| int32_t* actions_buffer_int32 = | |
| reinterpret_cast<int32_t*>(actions_buffer.data()); |
References
- The repository follows the Google C++ Style Guide, which encourages modern, safe, and idiomatic C++ practices. Using
std::vector::data()is preferred over&vector[0]as it is the standard way to access the underlying array and is safe even when the vector might be empty (returningnullptrinstead of causing undefined behavior). (link)
Contributor
Author
There was a problem hiding this comment.
Changed all the &vec[0] in this file to vec.data()
| &boundsIntVector[0]); | ||
| if (rectSize > 0) { | ||
| env->GetIntArrayRegion(javaDisplayFeaturesBounds, 0, rectSize, | ||
| &boundsIntVector[0]); |
Contributor
There was a problem hiding this comment.
Using std::vector::data() is the standard and idiomatic way to obtain a pointer to the underlying array in modern C++. It is cleaner and safer than using &vector[0].
boundsIntVector.data());References
- The repository follows the Google C++ Style Guide, which encourages modern, safe, and idiomatic C++ practices. Using
std::vector::data()is preferred over&vector[0]as it is the standard way to access the underlying array and is safe even when the vector might be empty (returningnullptrinstead of causing undefined behavior). (link)
| &displayFeaturesType[0]); | ||
| if (typeSize > 0) { | ||
| env->GetIntArrayRegion(javaDisplayFeaturesType, 0, typeSize, | ||
| &displayFeaturesType[0]); |
Contributor
There was a problem hiding this comment.
Using std::vector::data() is the standard and idiomatic way to obtain a pointer to the underlying array in modern C++. It is cleaner and safer than using &vector[0].
displayFeaturesType.data());References
- The repository follows the Google C++ Style Guide, which encourages modern, safe, and idiomatic C++ practices. Using
std::vector::data()is preferred over&vector[0]as it is the standard way to access the underlying array and is safe even when the vector might be empty (returningnullptrinstead of causing undefined behavior). (link)
| &displayFeaturesState[0]); | ||
| if (stateSize > 0) { | ||
| env->GetIntArrayRegion(javaDisplayFeaturesState, 0, stateSize, | ||
| &displayFeaturesState[0]); |
Contributor
There was a problem hiding this comment.
Using std::vector::data() is the standard and idiomatic way to obtain a pointer to the underlying array in modern C++. It is cleaner and safer than using &vector[0].
displayFeaturesState.data());References
- The repository follows the Google C++ Style Guide, which encourages modern, safe, and idiomatic C++ practices. Using
std::vector::data()is preferred over&vector[0]as it is the standard way to access the underlying array and is safe even when the vector might be empty (returningnullptrinstead of causing undefined behavior). (link)
Contributor
|
Sorry you waited on my review. I do not have a strong enough understanding of c code to review this change. Added @gaaclarke to find a better reviewer. |
gaaclarke
reviewed
Jun 8, 2026
Comment on lines
278
to
280
| jni_facade_->FlutterViewUpdateSemantics(buffer, strings, | ||
| string_attribute_args); | ||
| } |
Member
There was a problem hiding this comment.
This is changing the order of FlutterViewUpdateSemantics and FlutterViewUpdateCustomAccessibilityActions. It'd be safer to keep that order.
Contributor
Author
There was a problem hiding this comment.
Updated, kept the original order.
Comment on lines
+287
to
+288
| int32_t* actions_buffer_int32 = | ||
| reinterpret_cast<int32_t*>(&actions_buffer[0]); |
This CL addresses potential `std::vector` index out-of-bounds errors in the Flutter engine's Android native code, detected by libc++ hardening (go/cc-hardening-assertions). The issues stem from unsafe `&vector[0]` accesses on potentially empty vectors. 1. **platform_view_android_jni_impl.cc (SetViewportMetrics):** Added size checks before using `GetIntArrayRegion` on vectors created from JNI arrays, which can be empty. 2. **platform_view_android_delegate.cc (UpdateSemantics):** Moved buffer pointer initializations (e.g., `&buffer[0]`) and their usage to be within `!empty()` checks, preventing access on zero-sized vectors. These changes ensure safe vector handling, particularly when empty data is passed via JNI. See cl/922343981
96136ee to
5a5d9b0
Compare
Contributor
Author
|
@gaaclarke Added tests for this. I have to admit that I don't know much about this (I didn't author the original PR anyway, only helping them to send it here) so I asked Gemini for help, please check if the tests added by Gemini makes sense. Thanks! |
This was referenced Jun 13, 2026
auto-submit Bot
pushed a commit
to flutter/packages
that referenced
this pull request
Jun 15, 2026
Roll Flutter from b7cb925419e6 to 5827d5fd2b8d (35 revisions) flutter/flutter@b7cb925...5827d5f 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 7128af60575a to c8d9f80f13e4 (1 revision) (flutter/flutter#188015) 2026-06-15 jason-simmons@users.noreply.github.com In the APNG decoder, validate the chunk data length before calling GetChunkSize to avoid potential overflow in the chunk size calculation (flutter/flutter#187949) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 6b4ac3bfb39d to 7128af60575a (1 revision) (flutter/flutter#188011) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 0a3b8549cbf0 to 6b4ac3bfb39d (7 revisions) (flutter/flutter#188007) 2026-06-15 98614782+auto-submit[bot]@users.noreply.github.com Reverts "[a11y] Map some framework semantics roles to android classes. (#185217)" (flutter/flutter#188008) 2026-06-15 chris@bracken.jp [ios] Filter UIScene events to those relating to Flutter VC scene (flutter/flutter#187987) 2026-06-15 jhy03261997@gmail.com [a11y] Map some framework semantics roles to android classes. (flutter/flutter#185217) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from f46928e7f50c to 0a3b8549cbf0 (1 revision) (flutter/flutter#188004) 2026-06-14 stuartmorgan@google.com Rework docs for flutter/packages changelogs (flutter/flutter#187666) 2026-06-14 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from nvzMQAmuRSzo7-wAP... to TbB86Po_HDe1dvXvT... (flutter/flutter#187997) 2026-06-14 engine-flutter-autoroll@skia.org Roll Skia from 4e2c9b5e4dad to f46928e7f50c (1 revision) (flutter/flutter#187996) 2026-06-14 engine-flutter-autoroll@skia.org Roll Skia from c52667607242 to 4e2c9b5e4dad (1 revision) (flutter/flutter#187990) 2026-06-14 737941+loic-sharma@users.noreply.github.com Improve RenderTargetCache docs (flutter/flutter#187893) 2026-06-13 brackenavaron@gmail.com [Test cross_imports] Check cross imports in flutter_test/** (flutter/flutter#187587) 2026-06-13 matt.kosarek@canonical.com Fixing corrupted window size OnEmptyFrameGenerated due to transpsed width/height (flutter/flutter#187954) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 42355271a335 to c52667607242 (2 revisions) (flutter/flutter#187979) 2026-06-13 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from A3eaUn9mQ_EkSNxVI... to nvzMQAmuRSzo7-wAP... (flutter/flutter#187975) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 9ef46390c2d1 to 42355271a335 (1 revision) (flutter/flutter#187974) 2026-06-13 bdero@google.com [Flutter GPU] Make ShaderLibrary.fromAsset asynchronous (flutter/flutter#187716) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 8c89bf2b0ee3 to 9ef46390c2d1 (6 revisions) (flutter/flutter#187968) 2026-06-12 bdero@google.com [Flutter GPU] Add surface API for framework presentation (flutter/flutter#187358) 2026-06-12 bkonyi@google.com [gen_l10n] Exclude inherited keys from untranslated-messages-file (flutter/flutter#187950) 2026-06-12 31859944+LongCatIsLooong@users.noreply.github.com Update `MediaQueryData` docs for devicePixelRatio overriding (flutter/flutter#187542) 2026-06-12 bdero@google.com [Impeller] Fix dirty-range race in DeviceBufferGLES uploads (flutter/flutter#187932) 2026-06-12 pascal@phntm.xyz Compare isModifiedAfter against the given time (flutter/flutter#187727) 2026-06-12 planetmarshall@users.noreply.github.com Enable unit tests for compilation of compute shaders on non-metal backends (flutter/flutter#179683) 2026-06-12 matt.boetger@gmail.com [flutter_tools] Add doctor validator warning for multiple adb installations (flutter/flutter#186031) 2026-06-12 matt.boetger@gmail.com Optimize SHA hash calculation of generated APK (flutter/flutter#187184) 2026-06-12 mu7ammadkamel@hotmail.com Scope widget inspector overlay to the selected widget's modal route (flutter/flutter#186784) 2026-06-12 30870216+gaaclarke@users.noreply.github.com Switches Windows to OpenGLESSDF (flutter/flutter#187877) 2026-06-12 matt.boetger@gmail.com [integration_test] Update README to support modern Kotlin-based setups by default (flutter/flutter#186080) 2026-06-12 jason-simmons@users.noreply.github.com Convert the PNG signature constant in APNGImageGenerator to a std::array and use it in the APNG tests (flutter/flutter#187930) 2026-06-12 matt.boetger@gmail.com Correct backoff retry time cap unit and add regression tests (flutter/flutter#187250) 2026-06-12 chingjun@google.com Fix std::vector out-of-bounds access in Flutter Android JNI and Delegate (flutter/flutter#187218) 2026-06-12 matt.boetger@gmail.com [Android] Adding 30-second timeouts to adb stopApp and uninstallApp (flutter/flutter#187876) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC bmparr@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 ...
via-guy
pushed a commit
to via-guy/flutter
that referenced
this pull request
Jun 26, 2026
…ate (flutter#187218) This CL addresses potential `std::vector` index out-of-bounds errors in the Flutter engine's Android native code, detected by libc++ hardening (go/cc-hardening-assertions). The issues stem from unsafe `&vector[0]` accesses on potentially empty vectors. 1. **platform_view_android_jni_impl.cc (SetViewportMetrics):** Added size checks before using `GetIntArrayRegion` on vectors created from JNI arrays, which can be empty. 2. **platform_view_android_delegate.cc (UpdateSemantics):** Moved buffer pointer initializations (e.g., `&buffer[0]`) and their usage to be within `!empty()` checks, preventing access on zero-sized vectors. These changes ensure safe vector handling, particularly when empty data is passed via JNI. See cl/922343981
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This CL addresses potential
std::vectorindex out-of-bounds errors in the Flutter engine's Android native code, detected by libc++ hardening (go/cc-hardening-assertions). The issues stem from unsafe&vector[0]accesses on potentially empty vectors.GetIntArrayRegionon vectors created from JNI arrays, which can be empty.&buffer[0]) and their usage to be within!empty()checks, preventing access on zero-sized vectors.These changes ensure safe vector handling, particularly when empty data is passed via JNI.
See cl/922343981