Prevent integer overflow in ResourceTypes

Adds checks to 2 malloc() calls to ensure that the finally allocated buffer size is not vulnerable to integer overflows. Also includes a sanity check on the upper bound for type_info.numEntries before each call. Bug: 15171384 Change-Id: Ifdf0276bcca7e3d93da7c3577b9486d3c03a9d03
author: Vishwath Mohan <vishwath@google.com> 2015-03-09 18:55:11 -0700
committer: Vishwath Mohan <vishwath@google.com> 2015-03-10 12:34:08 -0700
commit: 6a2c23dc1bb17b3a2819a33dc6af77b293de1aae (patch)
tree: e4dc3e714d835e93dce3c34f1a487f9ec490db9f /libs/androidfw
parent: 53776a2b3c18f3eb2217e5e3af4dda187d0fee62 (diff)
download: frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.zip
frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.tar.gz
frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.tar.bz2
1 files changed, 8 insertions, 4 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index aca3e8c..6f93c820 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -3116,7 +3116,8 @@ ResTable::Theme::package_info* ResTable::Theme::copy_package(package_info* pi)
         size_t cnt = pi->types[j].numEntries;
         newpi->types[j].numEntries = cnt;
         theme_entry* te = pi->types[j].entries;
-        if (te != NULL) {
+        size_t cnt_max = SIZE_MAX / sizeof(theme_entry);
+        if (te != NULL && (cnt < 0xFFFFFFFF-1) && (cnt < cnt_max)) {
             theme_entry* newte = (theme_entry*)malloc(cnt*sizeof(theme_entry));
             newpi->types[j].entries = newte;
             memcpy(newte, te, cnt*sizeof(theme_entry));
@@ -3183,9 +3184,12 @@ status_t ResTable::Theme::applyStyle(uint32_t resID, bool force)
             if (curEntries == NULL) {
                 PackageGroup* const grp = mTable.mPackageGroups[curPackageIndex];
                 const TypeList& typeList = grp->types[t];
-                int cnt = typeList.isEmpty() ? 0 : typeList[0]->entryCount;
-                curEntries = (theme_entry*)malloc(cnt*sizeof(theme_entry));
-                memset(curEntries, Res_value::TYPE_NULL, cnt*sizeof(theme_entry));
+                size_t cnt = typeList.isEmpty() ? 0 : typeList[0]->entryCount;
+                size_t cnt_max = SIZE_MAX / sizeof(theme_entry);
+                size_t buff_size = (cnt < cnt_max && cnt < 0xFFFFFFFF-1) ?
+                                          cnt*sizeof(theme_entry) : 0;
+                curEntries = (theme_entry*)malloc(buff_size);
+                memset(curEntries, Res_value::TYPE_NULL, buff_size);
                 curPI->types[t].numEntries = cnt;
                 curPI->types[t].entries = curEntries;
             }
author	Vishwath Mohan <vishwath@google.com>	2015-03-09 18:55:11 -0700
committer	Vishwath Mohan <vishwath@google.com>	2015-03-10 12:34:08 -0700
commit	6a2c23dc1bb17b3a2819a33dc6af77b293de1aae (patch)
tree	e4dc3e714d835e93dce3c34f1a487f9ec490db9f /libs/androidfw
parent	53776a2b3c18f3eb2217e5e3af4dda187d0fee62 (diff)
download	frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.zip frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.tar.gz frameworks_base-6a2c23dc1bb17b3a2819a33dc6af77b293de1aae.tar.bz2