commit 1808d437e687fbc7b054611bf51932ec0e8b32f0
author Vishwath Mohan <vishwath@google.com> Thu Mar 12 21:17:48 2015 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Thu Mar 12 21:17:50 2015 +0000
tree 0e68c8083d3b29ab7e4bdf5a3621106159f26268
parent d6ee06a0c86d9d1556bb4b15c9aaea538e415e38
parent 6521a1b7430e7b3298633236645e2c0b5fd56c00

Merge "Enforce null-termination in ResStringPool::stringAt"

libs/androidfw/ResourceTypes.cpp

diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 6f93c820..d5d583c 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -701,6 +701,12 @@
 
                 *u16len = decodeLength(&str);
                 if ((uint32_t)(str+*u16len-strings) < mStringPoolSize) {
+                    // Reject malformed (non null-terminated) strings
+                    if (str[*u16len] != 0x0000) {
+                        ALOGW("Bad string block: string #%d is not null-terminated",
+                              (int)idx);
+                        return NULL;
+                    }
                     return reinterpret_cast<const char16_t*>(str);
                 } else {
                     ALOGW("Bad string block: string #%d extends to %d, past end at %d\n",
@@ -748,6 +754,13 @@
                         return NULL;
                     }
 
+                    // Reject malformed (non null-terminated) strings
+                    if (u8str[u8len] != 0x00) {
+                        ALOGW("Bad string block: string #%d is not null-terminated",
+                              (int)idx);
+                        return NULL;
+                    }
+
                     char16_t *u16str = (char16_t *)calloc(*u16len+1, sizeof(char16_t));
                     if (!u16str) {
                         ALOGW("No memory when trying to allocate decode cache for string #%d\n",