From a730ef3f77fc495bc90199b4d45efab26d609782 Mon Sep 17 00:00:00 2001 From: Leon Scroggins III Date: Tue, 27 Jan 2015 11:12:02 -0500 Subject: Handle bad ninepatch data. Changes proposed by Ben Hawkes of Google Project Zero. NinePatchPeeker.cpp: Instead of asserting, return false for bad data. ResourceTypes.h: Store ninepatch values as unsigned. BUG:19151999 Change-Id: Ibe35e7569f632c6bb8a34a7701e26bb6ed547ec2 --- core/jni/android/graphics/NinePatchPeeker.cpp | 4 +++- include/androidfw/ResourceTypes.h | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/core/jni/android/graphics/NinePatchPeeker.cpp b/core/jni/android/graphics/NinePatchPeeker.cpp index 1dafa1b..d99ddeb 100644 --- a/core/jni/android/graphics/NinePatchPeeker.cpp +++ b/core/jni/android/graphics/NinePatchPeeker.cpp @@ -24,7 +24,9 @@ bool NinePatchPeeker::peek(const char tag[], const void* data, size_t length) { if (!strcmp("npTc", tag) && length >= sizeof(Res_png_9patch)) { Res_png_9patch* patch = (Res_png_9patch*) data; size_t patchSize = patch->serializedSize(); - assert(length == patchSize); + if (length != patchSize) { + return false; + } // You have to copy the data because it is owned by the png reader Res_png_9patch* patchNew = (Res_png_9patch*) malloc(patchSize); memcpy(patchNew, patch, patchSize); diff --git a/include/androidfw/ResourceTypes.h b/include/androidfw/ResourceTypes.h index f2d85b4..bf993f4 100644 --- a/include/androidfw/ResourceTypes.h +++ b/include/androidfw/ResourceTypes.h @@ -118,9 +118,9 @@ struct Res_png_9patch yDivsOffset(0), colorsOffset(0) { } int8_t wasDeserialized; - int8_t numXDivs; - int8_t numYDivs; - int8_t numColors; + uint8_t numXDivs; + uint8_t numYDivs; + uint8_t numColors; // The offset (from the start of this structure) to the xDivs & yDivs // array for this 9patch. To get a pointer to this array, call -- cgit v1.1