Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5a8a1151 authored by Christopher Tate's avatar Christopher Tate
Browse files

Try not to crash the system server because of corrupt restore data 

When we're about to allocate an array based on the restore data for purposes of
unflattening a signature block, don't automatically assume that it's valid.  If
it's corrupt [and we've seen this in practice] we can wind up trying to allocate
an array with 1.8 million objects, and throw an OutOfMemoryError, bringing down
the system.

This change arbitrarily decides that no package should have more than 20
signatures in its block, and aborts the restore if the metadata is thus revealed
to be corrupt.
parent bcbcaa7e

services/java/com/android/server/PackageManagerBackupAgent.java

+7 −0
Original line number Diff line number Diff line
@@ -327,6 +327,13 @@ public class PackageManagerBackupAgent extends BackupAgent { 
        try {

            int num = in.readInt();

            Log.v(TAG, " ... unflatten read " + num);



            // Sensical?

            if (num > 20) {

                Log.e(TAG, "Suspiciously large sig count in restore data; aborting");

                throw new IllegalStateException("Bad restore state");

            }



            sigs = new Signature[num];

            for (int i = 0; i < num; i++) {

                int len = in.readInt();