From 7322ea7b73000ef50be18d72750624bb1832dec4 Mon Sep 17 00:00:00 2001
From: Adam Lesinski <adamlesinski@google.com>
Date: Wed, 14 May 2014 11:43:26 -0700
Subject: Fix potential crash in libandroidfw

A malformed APK may cause a crash if it
encodes its chunk size as a signed number
(MSB set to 1).

Bug:14898892
Change-Id: I342853c2b0859e5be15d712d451323afc367d329
---
 libs/androidfw/ResourceTypes.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 6aad5fb..7d4da01 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -102,7 +102,7 @@ static status_t validate_chunk(const ResChunk_header* chunk,
     if (headerSize >= minSize) {
         if (headerSize <= size) {
             if (((headerSize|size)&0x3) == 0) {
-                if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) {
+                if ((size_t)size <= (size_t)(dataEnd-((const uint8_t*)chunk))) {
                     return NO_ERROR;
                 }
                 ALOGW("%s data size 0x%x extends beyond resource end %p.",
-- 
cgit v1.1