Loading libs/androidfw/ResourceTypes.cpp +18 −0 Original line number Original line Diff line number Diff line Loading @@ -457,6 +457,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) uninit(); uninit(); // The chunk must be at least the size of the string pool header. if (size < sizeof(ResStringPool_header)) { LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size); return (mError=BAD_TYPE); } // The data is at least as big as a ResChunk_header, so we can safely validate the other // header fields. // `data + size` is safe because the source of `size` comes from the kernel/filesystem. if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header), reinterpret_cast<const uint8_t*>(data) + size, "ResStringPool_header") != NO_ERROR) { LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions"); return (mError=BAD_TYPE); } const bool notDeviceEndian = htods(0xf0) != 0xf0; const bool notDeviceEndian = htods(0xf0) != 0xf0; if (copyData || notDeviceEndian) { if (copyData || notDeviceEndian) { Loading @@ -468,6 +484,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) data = mOwnedData; data = mOwnedData; } } // The size has been checked, so it is safe to read the data in the ResStringPool_header // data structure. mHeader = (const ResStringPool_header*)data; mHeader = (const ResStringPool_header*)data; if (notDeviceEndian) { if (notDeviceEndian) { Loading Loading
libs/androidfw/ResourceTypes.cpp +18 −0 Original line number Original line Diff line number Diff line Loading @@ -457,6 +457,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) uninit(); uninit(); // The chunk must be at least the size of the string pool header. if (size < sizeof(ResStringPool_header)) { LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size); return (mError=BAD_TYPE); } // The data is at least as big as a ResChunk_header, so we can safely validate the other // header fields. // `data + size` is safe because the source of `size` comes from the kernel/filesystem. if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header), reinterpret_cast<const uint8_t*>(data) + size, "ResStringPool_header") != NO_ERROR) { LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions"); return (mError=BAD_TYPE); } const bool notDeviceEndian = htods(0xf0) != 0xf0; const bool notDeviceEndian = htods(0xf0) != 0xf0; if (copyData || notDeviceEndian) { if (copyData || notDeviceEndian) { Loading @@ -468,6 +484,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) data = mOwnedData; data = mOwnedData; } } // The size has been checked, so it is safe to read the data in the ResStringPool_header // data structure. mHeader = (const ResStringPool_header*)data; mHeader = (const ResStringPool_header*)data; if (notDeviceEndian) { if (notDeviceEndian) { Loading
