Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7322ea7b authored by Adam Lesinski's avatar Adam Lesinski
Browse files

Fix potential crash in libandroidfw 

A malformed APK may cause a crash if it
encodes its chunk size as a signed number
(MSB set to 1).

Bug:14898892
Change-Id: I342853c2b0859e5be15d712d451323afc367d329
parent da86f784

libs/androidfw/ResourceTypes.cpp

+1 −1
Original line number Diff line number Diff line
@@ -102,7 +102,7 @@ static status_t validate_chunk(const ResChunk_header* chunk, 
    if (headerSize >= minSize) {

        if (headerSize <= size) {

            if (((headerSize|size)&0x3) == 0) {

                if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) {

                if ((size_t)size <= (size_t)(dataEnd-((const uint8_t*)chunk))) {

                    return NO_ERROR;

                }

                ALOGW("%s data size 0x%x extends beyond resource end %p.",