Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b97c257e authored by Clark Scheff's avatar Clark Scheff
Browse files

Themes: Fix native crash in libandroidfw 

If a missing attribute needs to be added in somewhere in the middle
of the bag, a segfault would occur because we change curEntry to a
value that is beyond the set's allocated space.  This patch stores
curEntry in prevEntry before changing it's value and memmove uses
prevEntry to index the set.

Change-Id: Ie70f2ad465097c3acf76caa729999c424fb01ee2
parent 89a5500d

libs/androidfw/ResourceTypes.cpp

+3 −2
Original line number Diff line number Diff line
@@ -3780,6 +3780,7 @@ ssize_t ResTable::getBagLocked(uint32_t resID, const bag_entry** outBag, 
                if ((!isInside) || oldName != newName) {

                    // This is a new attribute...  figure out what to do with it.

                    // Need to alloc more memory...

                    size_t prevEntry = curEntry;

                    curEntry = set->availAttrs;

                    set->availAttrs++;

                    const size_t newAvail = set->availAttrs;
@@ -3794,8 +3795,8 @@ ssize_t ResTable::getBagLocked(uint32_t resID, const bag_entry** outBag, 
                                 set, entries, set->availAttrs));

                    if (isInside) {

                        // Going in the middle, need to make space.

                        memmove(entries+curEntry+1, entries+curEntry,

                                sizeof(bag_entry)*(set->numAttrs-curEntry));

                        memmove(entries+prevEntry+1, entries+prevEntry,

                                sizeof(bag_entry)*(set->numAttrs-prevEntry));

                    }

                    TABLE_NOISY(printf("#%d: Inserting new attribute: 0x%08x\n",

                                 curEntry, newName));