commit 46fc48f57ea754372d5304a5903acf28b8d0d2c3
author TreeHugger Robot <treehugger-gerrit@google.com> Wed Jan 31 22:13:40 2018 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Wed Jan 31 22:13:40 2018 +0000
tree 97bc5a3b2484705ded8009072f2907fa8c8d95d6
parent 5f7cdba8abe1845afd83c7ee5337f33d736c2ce3
parent 163548ed6aa4bf88f35157b7ee0818294817300f

Merge changes from topic "am-1ab9514f-fd12-4093-b1cb-a77e9f0419c9" into oc-dev

* changes:
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937 am: 166aa6e149 am: b7f7f7e14e am: c26b8635b7 am: afac0f46d9 am: 5786491706
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937 am: 166aa6e149 am: b7f7f7e14e am: c26b8635b7 am: afac0f46d9
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937 am: 166aa6e149 am: b7f7f7e14e am: c26b8635b7
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937 am: 166aa6e149 am: b7f7f7e14e
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937 am: 166aa6e149
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41 am: a3f0976937
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682 am: 0ab4540c41
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99 am: e2417e6682
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909 am: c3d7250b99
  [automerger] Check for null-terminator in ResStringPool::string8At am: 5ec65ae909
  Check for null-terminator in ResStringPool::string8At

libs/androidfw/ResourceTypes.cpp

diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index bab8883..1798d66 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -813,7 +813,13 @@
             *outLen = encLen;
 
             if ((uint32_t)(str+encLen-strings) < mStringPoolSize) {
-                return (const char*)str;
+                // Reject malformed (non null-terminated) strings
+                if (str[encLen] != 0x00) {
+                    ALOGW("Bad string block: string #%d is not null-terminated",
+                          (int)idx);
+                    return NULL;
+                }
+              return (const char*)str;
             } else {
                 ALOGW("Bad string block: string #%d extends to %d, past end at %d\n",
                         (int)idx, (int)(str+encLen-strings), (int)mStringPoolSize);