#1936 Crash in HuamiSupport writeToChunked

Closed
opened 2 weeks ago by TaaviE · 3 comments
TaaviE commented 2 weeks ago
name: Bug report
about: ArrayIndexOutOfBoundsException in writeToChunked

I’m not familiar enough with the Huami protocol to make this fix myself, but there’s an ArrayIndexOutOfBoundsException in writeToChunked. The crash isn’t very frequent so it’s probably not super trivial to trigger.

Stacktrace:

java.lang.RuntimeException: 
  at android.app.ActivityThread.handleServiceArgs (ActivityThread.java:3532)
  at android.app.ActivityThread.-wrap21 (Unknown Source)
  at android.app.ActivityThread$H.handleMessage (ActivityThread.java:1726)
  at android.os.Handler.dispatchMessage (Handler.java:106)
  at android.os.Looper.loop (Looper.java:164)
  at android.app.ActivityThread.main (ActivityThread.java:6548)
  at java.lang.reflect.Method.invoke (Method.java)
  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:438)
  at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:857)
Caused by: java.lang.ArrayIndexOutOfBoundsException: 
  at java.lang.System.arraycopy (System.java:521)
  at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.writeToChunked (HuamiSupport.java:2419)
  at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.sendCalendarEventsAsReminder (HuamiSupport.java:1771)
  at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.onSetTime (HuamiSupport.java:750)
  at ee.aegrel.gadgetbridge.service.ServiceDeviceSupport.onSetTime (ServiceDeviceSupport.java:171)
  at ee.aegrel.gadgetbridge.service.DeviceCommunicationService.handleAction (DeviceCommunicationService.java:498)
  at ee.aegrel.gadgetbridge.service.DeviceCommunicationService.onStartCommand (DeviceCommunicationService.java:356)
  at android.app.ActivityThread.handleServiceArgs (ActivityThread.java:3515)
  at android.app.ActivityThread.-wrap21 (Unknown Source)
  at android.app.ActivityThread$H.handleMessage (ActivityThread.java:1726)
  at android.os.Handler.dispatchMessage (Handler.java:106)
  at android.os.Looper.loop (Looper.java:164)
  at android.app.ActivityThread.main (ActivityThread.java:6548)
  at java.lang.reflect.Method.invoke (Method.java)
  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:438)
  at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:857)
--- name: Bug report about: `ArrayIndexOutOfBoundsException` in `writeToChunked` --- I'm not familiar enough with the Huami protocol to make this fix myself, but there's an `ArrayIndexOutOfBoundsException` in `writeToChunked`. The crash isn't very frequent so it's probably not super trivial to trigger. Stacktrace: ``` java.lang.RuntimeException: at android.app.ActivityThread.handleServiceArgs (ActivityThread.java:3532) at android.app.ActivityThread.-wrap21 (Unknown Source) at android.app.ActivityThread$H.handleMessage (ActivityThread.java:1726) at android.os.Handler.dispatchMessage (Handler.java:106) at android.os.Looper.loop (Looper.java:164) at android.app.ActivityThread.main (ActivityThread.java:6548) at java.lang.reflect.Method.invoke (Method.java) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:438) at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:857) Caused by: java.lang.ArrayIndexOutOfBoundsException: at java.lang.System.arraycopy (System.java:521) at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.writeToChunked (HuamiSupport.java:2419) at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.sendCalendarEventsAsReminder (HuamiSupport.java:1771) at ee.aegrel.gadgetbridge.service.devices.huami.HuamiSupport.onSetTime (HuamiSupport.java:750) at ee.aegrel.gadgetbridge.service.ServiceDeviceSupport.onSetTime (ServiceDeviceSupport.java:171) at ee.aegrel.gadgetbridge.service.DeviceCommunicationService.handleAction (DeviceCommunicationService.java:498) at ee.aegrel.gadgetbridge.service.DeviceCommunicationService.onStartCommand (DeviceCommunicationService.java:356) at android.app.ActivityThread.handleServiceArgs (ActivityThread.java:3515) at android.app.ActivityThread.-wrap21 (Unknown Source) at android.app.ActivityThread$H.handleMessage (ActivityThread.java:1726) at android.os.Handler.dispatchMessage (Handler.java:106) at android.os.Looper.loop (Looper.java:164) at android.app.ActivityThread.main (ActivityThread.java:6548) at java.lang.reflect.Method.invoke (Method.java) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run (RuntimeInit.java:438) at com.android.internal.os.ZygoteInit.main (ZygoteInit.java:857) ```
ashimokawa commented 2 weeks ago
Owner

Oh I should be able to figure that out. Thanks for reporting!

Oh I should be able to figure that out. Thanks for reporting!
ashimokawa self-assigned this 2 weeks ago
ashimokawa commented 2 weeks ago
Owner

This can only happen if mMTU is between 3 and 5, which makes no sense. I assume the bug is when parsing the mtu which the device announces.

case HuamiDeviceEvent.MTU_REQUEST:
    int mtu = (value[2] & 0xff) << 8 | value[1] & 0xff;
    LOG.info("device announced MTU of " + mtu);

The code worked for me with the Mi Band 4 and Bip S, but I do not have a GTR/GTS to test.

This can only happen if mMTU is between 3 and 5, which makes no sense. I assume the bug is when parsing the mtu which the device announces. ``` case HuamiDeviceEvent.MTU_REQUEST: int mtu = (value[2] & 0xff) << 8 | value[1] & 0xff; LOG.info("device announced MTU of " + mtu); ``` The code worked for me with the Mi Band 4 and Bip S, but I do not have a GTR/GTS to test.
TaaviE commented 2 weeks ago
Poster

@ashimokawa

This can only happen if mMTU is between 3 and 5, which makes no sense. I assume the bug is when parsing the mtu which the device announces.

Hm, it is a relatively rare bug, could it be a mistake that occurs during transmission? Meaning that the device sends the wrong value.

@ashimokawa > This can only happen if mMTU is between 3 and 5, which makes no sense. I assume the bug is when parsing the mtu which the device announces. Hm, it is a relatively rare bug, could it be a mistake that occurs during transmission? Meaning that the device sends the wrong value.
ashimokawa closed this issue 1 week ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.