Ensure the ResTable data is at least the size of a ResTable_header

Change-Id: Ib8d5574bd6a125797a582837987332e66721e84d
author: Adam Lesinski <adamlesinski@google.com> 2014-07-25 15:25:04 -0700
committer: Adam Lesinski <adamlesinski@google.com> 2014-07-29 17:42:34 +0000
commit: f28d505dc5f72d82cd791a5b9c7be3775eab75e5 (patch)
tree: f49a0df6b4763d401be0a80a749dc1cc069109e7 /libs/androidfw
parent: f4bf67012b2109ead9a4cb9c4407563fc3671255 (diff)
download: frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.zip
frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.tar.gz
frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.tar.bz2
1 files changed, 15 insertions, 6 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 2889ea3..d765b25 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -504,19 +504,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
             charSize = sizeof(char16_t);
         }
 
-        mStrings = (const void*)
-            (((const uint8_t*)data)+mHeader->stringsStart);
-        if (mHeader->stringsStart >= (mHeader->header.size-sizeof(uint16_t))) {
+        // There should be at least space for the smallest string
+        // (2 bytes length, null terminator).
+        if (mHeader->stringsStart >= (mSize - sizeof(uint16_t))) {
             ALOGW("Bad string block: string pool starts at %d, after total size %d\n",
                     (int)mHeader->stringsStart, (int)mHeader->header.size);
             return (mError=BAD_TYPE);
         }
+
+        mStrings = (const void*)
+            (((const uint8_t*)data) + mHeader->stringsStart);
+
         if (mHeader->styleCount == 0) {
-            mStringPoolSize =
-                (mHeader->header.size-mHeader->stringsStart)/charSize;
+            mStringPoolSize = (mSize - mHeader->stringsStart) / charSize;
         } else {
             // check invariant: styles starts before end of data
-            if (mHeader->stylesStart >= (mHeader->header.size-sizeof(uint16_t))) {
+            if (mHeader->stylesStart >= (mSize - sizeof(uint16_t))) {
                 ALOGW("Bad style block: style block starts at %d past data size of %d\n",
                     (int)mHeader->stylesStart, (int)mHeader->header.size);
                 return (mError=BAD_TYPE);
@@ -3368,6 +3371,12 @@ status_t ResTable::addInternal(const void* data, size_t dataSize, const void* id
         return NO_ERROR;
     }
 
+    if (dataSize < sizeof(ResTable_header)) {
+        ALOGE("Invalid data. Size(%d) is smaller than a ResTable_header(%d).",
+                (int) dataSize, (int) sizeof(ResTable_header));
+        return UNKNOWN_ERROR;
+    }
+
     Header* header = new Header(this);
     header->index = mHeaders.size();
     header->cookie = cookie;
author	Adam Lesinski <adamlesinski@google.com>	2014-07-25 15:25:04 -0700
committer	Adam Lesinski <adamlesinski@google.com>	2014-07-29 17:42:34 +0000
commit	f28d505dc5f72d82cd791a5b9c7be3775eab75e5 (patch)
tree	f49a0df6b4763d401be0a80a749dc1cc069109e7 /libs/androidfw
parent	f4bf67012b2109ead9a4cb9c4407563fc3671255 (diff)
download	frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.zip frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.tar.gz frameworks_base-f28d505dc5f72d82cd791a5b9c7be3775eab75e5.tar.bz2