Ensure the ResTable data is at least the size of a ResTable_header
Change-Id: Ib8d5574bd6a125797a582837987332e66721e84d
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 2889ea3..d765b25 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -504,19 +504,22 @@
charSize = sizeof(char16_t);
}
- mStrings = (const void*)
- (((const uint8_t*)data)+mHeader->stringsStart);
- if (mHeader->stringsStart >= (mHeader->header.size-sizeof(uint16_t))) {
+ // There should be at least space for the smallest string
+ // (2 bytes length, null terminator).
+ if (mHeader->stringsStart >= (mSize - sizeof(uint16_t))) {
ALOGW("Bad string block: string pool starts at %d, after total size %d\n",
(int)mHeader->stringsStart, (int)mHeader->header.size);
return (mError=BAD_TYPE);
}
+
+ mStrings = (const void*)
+ (((const uint8_t*)data) + mHeader->stringsStart);
+
if (mHeader->styleCount == 0) {
- mStringPoolSize =
- (mHeader->header.size-mHeader->stringsStart)/charSize;
+ mStringPoolSize = (mSize - mHeader->stringsStart) / charSize;
} else {
// check invariant: styles starts before end of data
- if (mHeader->stylesStart >= (mHeader->header.size-sizeof(uint16_t))) {
+ if (mHeader->stylesStart >= (mSize - sizeof(uint16_t))) {
ALOGW("Bad style block: style block starts at %d past data size of %d\n",
(int)mHeader->stylesStart, (int)mHeader->header.size);
return (mError=BAD_TYPE);
@@ -3368,6 +3371,12 @@
return NO_ERROR;
}
+ if (dataSize < sizeof(ResTable_header)) {
+ ALOGE("Invalid data. Size(%d) is smaller than a ResTable_header(%d).",
+ (int) dataSize, (int) sizeof(ResTable_header));
+ return UNKNOWN_ERROR;
+ }
+
Header* header = new Header(this);
header->index = mHeaders.size();
header->cookie = cookie;