Fix large memory corruption in AAPT
When assigning a new string pool to a package, don't release the
reference to the old memory immediately, as the cleanup code that
is called after references the old memory.
Bug: 16155257
Change-Id: I3eaeb81191b71a282a0ef82856023f09707f1b17
diff --git a/tools/aapt/ResourceTable.cpp b/tools/aapt/ResourceTable.cpp
index 1a9f1b9..ac54638 100644
--- a/tools/aapt/ResourceTable.cpp
+++ b/tools/aapt/ResourceTable.cpp
@@ -3846,22 +3846,30 @@
status_t ResourceTable::Package::setTypeStrings(const sp<AaptFile>& data)
{
- mTypeStringsData = data;
status_t err = setStrings(data, &mTypeStrings, &mTypeStringsMapping);
if (err != NO_ERROR) {
fprintf(stderr, "ERROR: Type string data is corrupt!\n");
+ return err;
}
- return err;
+
+ // Retain a reference to the new data after we've successfully replaced
+ // all uses of the old reference (in setStrings() ).
+ mTypeStringsData = data;
+ return NO_ERROR;
}
status_t ResourceTable::Package::setKeyStrings(const sp<AaptFile>& data)
{
- mKeyStringsData = data;
status_t err = setStrings(data, &mKeyStrings, &mKeyStringsMapping);
if (err != NO_ERROR) {
fprintf(stderr, "ERROR: Key string data is corrupt!\n");
+ return err;
}
- return err;
+
+ // Retain a reference to the new data after we've successfully replaced
+ // all uses of the old reference (in setStrings() ).
+ mKeyStringsData = data;
+ return NO_ERROR;
}
status_t ResourceTable::Package::setStrings(const sp<AaptFile>& data,