diff options
author | Vishwath Mohan <vishwath@google.com> | 2015-03-11 16:08:37 -0700 |
---|---|---|
committer | Vishwath Mohan <vishwath@google.com> | 2015-03-11 16:36:53 -0700 |
commit | 6521a1b7430e7b3298633236645e2c0b5fd56c00 (patch) | |
tree | 73fa9edcde604fc9048807998bd2fa2a7df43fdc /libs/androidfw | |
parent | 60cd30d99e69ada6d3e3e072ef64e36c4a2ba34d (diff) | |
download | frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.zip frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.gz frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.bz2 |
Enforce null-termination in ResStringPool::stringAt
Rejects any non null-terminated string that a caller asks
ResStringPool::stringAt for, returning NULL instead.
The rationale for returning NULL rather than amending the string to add
a null-terminator is that conformant APK files will have all their
strings null-terminated anyway, and that this is a possible signal of a
malformed package.
Bug: 15288069
Change-Id: I370937b92f2cadf67fbd54203cbc7d1494be969f
Diffstat (limited to 'libs/androidfw')
-rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 6f93c820..d5d583c 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -701,6 +701,12 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const *u16len = decodeLength(&str); if ((uint32_t)(str+*u16len-strings) < mStringPoolSize) { + // Reject malformed (non null-terminated) strings + if (str[*u16len] != 0x0000) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } return reinterpret_cast<const char16_t*>(str); } else { ALOGW("Bad string block: string #%d extends to %d, past end at %d\n", @@ -748,6 +754,13 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const return NULL; } + // Reject malformed (non null-terminated) strings + if (u8str[u8len] != 0x00) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } + char16_t *u16str = (char16_t *)calloc(*u16len+1, sizeof(char16_t)); if (!u16str) { ALOGW("No memory when trying to allocate decode cache for string #%d\n", |