Enforce null-termination in ResStringPool::stringAt

Rejects any non null-terminated string that a caller asks ResStringPool::stringAt for, returning NULL instead. The rationale for returning NULL rather than amending the string to add a null-terminator is that conformant APK files will have all their strings null-terminated anyway, and that this is a possible signal of a malformed package. Bug: 15288069 Change-Id: I370937b92f2cadf67fbd54203cbc7d1494be969f
author: Vishwath Mohan <vishwath@google.com> 2015-03-11 16:08:37 -0700
committer: Vishwath Mohan <vishwath@google.com> 2015-03-11 16:36:53 -0700
commit: 6521a1b7430e7b3298633236645e2c0b5fd56c00 (patch)
tree: 73fa9edcde604fc9048807998bd2fa2a7df43fdc /libs/androidfw
parent: 60cd30d99e69ada6d3e3e072ef64e36c4a2ba34d (diff)
download: frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.zip
frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.gz
frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.bz2
1 files changed, 13 insertions, 0 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 6f93c820..d5d583c 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -701,6 +701,12 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const
 
                 *u16len = decodeLength(&str);
                 if ((uint32_t)(str+*u16len-strings) < mStringPoolSize) {
+                    // Reject malformed (non null-terminated) strings
+                    if (str[*u16len] != 0x0000) {
+                        ALOGW("Bad string block: string #%d is not null-terminated",
+                              (int)idx);
+                        return NULL;
+                    }
                     return reinterpret_cast<const char16_t*>(str);
                 } else {
                     ALOGW("Bad string block: string #%d extends to %d, past end at %d\n",
@@ -748,6 +754,13 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const
                         return NULL;
                     }
 
+                    // Reject malformed (non null-terminated) strings
+                    if (u8str[u8len] != 0x00) {
+                        ALOGW("Bad string block: string #%d is not null-terminated",
+                              (int)idx);
+                        return NULL;
+                    }
+
                     char16_t *u16str = (char16_t *)calloc(*u16len+1, sizeof(char16_t));
                     if (!u16str) {
                         ALOGW("No memory when trying to allocate decode cache for string #%d\n",
author	Vishwath Mohan <vishwath@google.com>	2015-03-11 16:08:37 -0700
committer	Vishwath Mohan <vishwath@google.com>	2015-03-11 16:36:53 -0700
commit	6521a1b7430e7b3298633236645e2c0b5fd56c00 (patch)
tree	73fa9edcde604fc9048807998bd2fa2a7df43fdc /libs/androidfw
parent	60cd30d99e69ada6d3e3e072ef64e36c4a2ba34d (diff)
download	frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.zip frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.gz frameworks_base-6521a1b7430e7b3298633236645e2c0b5fd56c00.tar.bz2