Loading libs/androidfw/ResourceTypes.cpp +36 −39 Original line number Original line Diff line number Diff line Loading @@ -101,21 +101,20 @@ static status_t validate_chunk(const ResChunk_header* chunk, if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) { if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) { return NO_ERROR; return NO_ERROR; } } ALOGW("%s data size %p extends beyond resource end %p.", ALOGW("%s data size 0x%x extends beyond resource end %p.", name, (void*)size, name, size, (void*)(dataEnd-((const uint8_t*)chunk))); (void*)(dataEnd-((const uint8_t*)chunk))); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s size 0x%x or headerSize 0x%x is not on an integer boundary.", ALOGW("%s size 0x%x or headerSize 0x%x is not on an integer boundary.", name, (int)size, (int)headerSize); name, (int)size, (int)headerSize); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s size %p is smaller than header size %p.", ALOGW("%s size 0x%x is smaller than header size 0x%x.", name, (void*)size, (void*)(int)headerSize); name, size, headerSize); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s header size %p is too small.", ALOGW("%s header size 0x%x is too small.", name, (void*)(int)headerSize); name, headerSize); return BAD_TYPE; return BAD_TYPE; } } Loading Loading @@ -3252,8 +3251,8 @@ status_t ResTable::addInternal(const void* data, size_t size, const int32_t cook } } curPackage++; curPackage++; } else { } else { ALOGW("Unknown chunk type %p in table at %p.\n", ALOGW("Unknown chunk type 0x%x in table at %p.\n", (void*)(int)(ctype), ctype, (void*)(((const uint8_t*)chunk) - ((const uint8_t*)header->header))); (void*)(((const uint8_t*)chunk) - ((const uint8_t*)header->header))); } } chunk = (const ResChunk_header*) chunk = (const ResChunk_header*) Loading Loading @@ -3469,8 +3468,8 @@ ssize_t ResTable::getResource(uint32_t resID, Res_value* outValue, bool mayBeBag if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) != 0) { if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) != 0) { if (!mayBeBag) { if (!mayBeBag) { ALOGW("Requesting resource %p failed because it is complex\n", ALOGW("Requesting resource 0x%x failed because it is complex\n", (void*)resID); resID); } } continue; continue; } } Loading Loading @@ -3745,8 +3744,8 @@ ssize_t ResTable::getBagLocked(uint32_t resID, const bag_entry** outBag, } } if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) == 0) { if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) == 0) { ALOGW("Skipping entry %p in package table %d because it is not complex!\n", ALOGW("Skipping entry 0x%x in package table %zu because it is not complex!\n", (void*)resID, (int)ip); resID, ip); continue; continue; } } Loading Loading @@ -5342,26 +5341,26 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, return (mError=err); return (mError=err); } } const size_t pkgSize = dtohl(pkg->header.size); const uint32_t pkgSize = dtohl(pkg->header.size); if (dtohl(pkg->typeStrings) >= pkgSize) { if (dtohl(pkg->typeStrings) >= pkgSize) { ALOGW("ResTable_package type strings at %p are past chunk size %p.", ALOGW("ResTable_package type strings at 0x%x are past chunk size 0x%x.", (void*)dtohl(pkg->typeStrings), (void*)pkgSize); dtohl(pkg->typeStrings), pkgSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if ((dtohl(pkg->typeStrings)&0x3) != 0) { if ((dtohl(pkg->typeStrings)&0x3) != 0) { ALOGW("ResTable_package type strings at %p is not on an integer boundary.", ALOGW("ResTable_package type strings at 0x%x is not on an integer boundary.", (void*)dtohl(pkg->typeStrings)); dtohl(pkg->typeStrings)); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (dtohl(pkg->keyStrings) >= pkgSize) { if (dtohl(pkg->keyStrings) >= pkgSize) { ALOGW("ResTable_package key strings at %p are past chunk size %p.", ALOGW("ResTable_package key strings at 0x%x are past chunk size 0x%x.", (void*)dtohl(pkg->keyStrings), (void*)pkgSize); dtohl(pkg->keyStrings), pkgSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if ((dtohl(pkg->keyStrings)&0x3) != 0) { if ((dtohl(pkg->keyStrings)&0x3) != 0) { ALOGW("ResTable_package key strings at %p is not on an integer boundary.", ALOGW("ResTable_package key strings at 0x%x is not on an integer boundary.", (void*)dtohl(pkg->keyStrings)); dtohl(pkg->keyStrings)); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } Loading Loading @@ -5499,7 +5498,7 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, return (mError=err); return (mError=err); } } const size_t typeSize = dtohl(type->header.size); const uint32_t typeSize = dtohl(type->header.size); LOAD_TABLE_NOISY(printf("Type off %p: type=0x%x, headerSize=0x%x, size=%p\n", LOAD_TABLE_NOISY(printf("Type off %p: type=0x%x, headerSize=0x%x, size=%p\n", (void*)(base-(const uint8_t*)chunk), (void*)(base-(const uint8_t*)chunk), Loading @@ -5508,16 +5507,16 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, (void*)typeSize)); (void*)typeSize)); if (dtohs(type->header.headerSize)+(sizeof(uint32_t)*dtohl(type->entryCount)) if (dtohs(type->header.headerSize)+(sizeof(uint32_t)*dtohl(type->entryCount)) > typeSize) { > typeSize) { ALOGW("ResTable_type entry index to %p extends beyond chunk end %p.", ALOGW("ResTable_type entry index to %p extends beyond chunk end 0x%x.", (void*)(dtohs(type->header.headerSize) (void*)(dtohs(type->header.headerSize) +(sizeof(uint32_t)*dtohl(type->entryCount))), +(sizeof(uint32_t)*dtohl(type->entryCount))), (void*)typeSize); typeSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (dtohl(type->entryCount) != 0 if (dtohl(type->entryCount) != 0 && dtohl(type->entriesStart) > (typeSize-sizeof(ResTable_entry))) { && dtohl(type->entriesStart) > (typeSize-sizeof(ResTable_entry))) { ALOGW("ResTable_type entriesStart at %p extends beyond chunk end %p.", ALOGW("ResTable_type entriesStart at 0x%x extends beyond chunk end 0x%x.", (void*)dtohl(type->entriesStart), (void*)typeSize); dtohl(type->entriesStart), typeSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (type->id == 0) { if (type->id == 0) { Loading Loading @@ -5934,12 +5933,12 @@ void ResTable::print(bool inclValues) const size_t entryCount = dtohl(type->entryCount); size_t entryCount = dtohl(type->entryCount); uint32_t entriesStart = dtohl(type->entriesStart); uint32_t entriesStart = dtohl(type->entriesStart); if ((entriesStart&0x3) != 0) { if ((entriesStart&0x3) != 0) { printf(" NON-INTEGER ResTable_type entriesStart OFFSET: %p\n", (void*)entriesStart); printf(" NON-INTEGER ResTable_type entriesStart OFFSET: 0x%x\n", entriesStart); continue; continue; } } uint32_t typeSize = dtohl(type->header.size); uint32_t typeSize = dtohl(type->header.size); if ((typeSize&0x3) != 0) { if ((typeSize&0x3) != 0) { printf(" NON-INTEGER ResTable_type header.size: %p\n", (void*)typeSize); printf(" NON-INTEGER ResTable_type header.size: 0x%x\n", typeSize); continue; continue; } } for (size_t entryIndex=0; entryIndex<entryCount; entryIndex++) { for (size_t entryIndex=0; entryIndex<entryCount; entryIndex++) { Loading Loading @@ -5978,33 +5977,31 @@ void ResTable::print(bool inclValues) const printf(" INVALID RESOURCE 0x%08x: ", resID); printf(" INVALID RESOURCE 0x%08x: ", resID); } } if ((thisOffset&0x3) != 0) { if ((thisOffset&0x3) != 0) { printf("NON-INTEGER OFFSET: %p\n", (void*)thisOffset); printf("NON-INTEGER OFFSET: 0x%x\n", thisOffset); continue; continue; } } if ((thisOffset+sizeof(ResTable_entry)) > typeSize) { if ((thisOffset+sizeof(ResTable_entry)) > typeSize) { printf("OFFSET OUT OF BOUNDS: %p+%p (size is %p)\n", printf("OFFSET OUT OF BOUNDS: 0x%x+0x%x (size is 0x%x)\n", (void*)entriesStart, (void*)thisOffset, entriesStart, thisOffset, typeSize); (void*)typeSize); continue; continue; } } const ResTable_entry* ent = (const ResTable_entry*) const ResTable_entry* ent = (const ResTable_entry*) (((const uint8_t*)type) + entriesStart + thisOffset); (((const uint8_t*)type) + entriesStart + thisOffset); if (((entriesStart + thisOffset)&0x3) != 0) { if (((entriesStart + thisOffset)&0x3) != 0) { printf("NON-INTEGER ResTable_entry OFFSET: %p\n", printf("NON-INTEGER ResTable_entry OFFSET: 0x%x\n", (void*)(entriesStart + thisOffset)); (entriesStart + thisOffset)); continue; continue; } } uintptr_t esize = dtohs(ent->size); uintptr_t esize = dtohs(ent->size); if ((esize&0x3) != 0) { if ((esize&0x3) != 0) { printf("NON-INTEGER ResTable_entry SIZE: %p\n", (void*)esize); printf("NON-INTEGER ResTable_entry SIZE: 0x%x\n", esize); continue; continue; } } if ((thisOffset+esize) > typeSize) { if ((thisOffset+esize) > typeSize) { printf("ResTable_entry OUT OF BOUNDS: %p+%p+%p (size is %p)\n", printf("ResTable_entry OUT OF BOUNDS: 0x%x+0x%x+0x%x (size is 0x%x)\n", (void*)entriesStart, (void*)thisOffset, entriesStart, thisOffset, esize, typeSize); (void*)esize, (void*)typeSize); continue; continue; } } Loading Loading
libs/androidfw/ResourceTypes.cpp +36 −39 Original line number Original line Diff line number Diff line Loading @@ -101,21 +101,20 @@ static status_t validate_chunk(const ResChunk_header* chunk, if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) { if ((ssize_t)size <= (dataEnd-((const uint8_t*)chunk))) { return NO_ERROR; return NO_ERROR; } } ALOGW("%s data size %p extends beyond resource end %p.", ALOGW("%s data size 0x%x extends beyond resource end %p.", name, (void*)size, name, size, (void*)(dataEnd-((const uint8_t*)chunk))); (void*)(dataEnd-((const uint8_t*)chunk))); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s size 0x%x or headerSize 0x%x is not on an integer boundary.", ALOGW("%s size 0x%x or headerSize 0x%x is not on an integer boundary.", name, (int)size, (int)headerSize); name, (int)size, (int)headerSize); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s size %p is smaller than header size %p.", ALOGW("%s size 0x%x is smaller than header size 0x%x.", name, (void*)size, (void*)(int)headerSize); name, size, headerSize); return BAD_TYPE; return BAD_TYPE; } } ALOGW("%s header size %p is too small.", ALOGW("%s header size 0x%x is too small.", name, (void*)(int)headerSize); name, headerSize); return BAD_TYPE; return BAD_TYPE; } } Loading Loading @@ -3252,8 +3251,8 @@ status_t ResTable::addInternal(const void* data, size_t size, const int32_t cook } } curPackage++; curPackage++; } else { } else { ALOGW("Unknown chunk type %p in table at %p.\n", ALOGW("Unknown chunk type 0x%x in table at %p.\n", (void*)(int)(ctype), ctype, (void*)(((const uint8_t*)chunk) - ((const uint8_t*)header->header))); (void*)(((const uint8_t*)chunk) - ((const uint8_t*)header->header))); } } chunk = (const ResChunk_header*) chunk = (const ResChunk_header*) Loading Loading @@ -3469,8 +3468,8 @@ ssize_t ResTable::getResource(uint32_t resID, Res_value* outValue, bool mayBeBag if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) != 0) { if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) != 0) { if (!mayBeBag) { if (!mayBeBag) { ALOGW("Requesting resource %p failed because it is complex\n", ALOGW("Requesting resource 0x%x failed because it is complex\n", (void*)resID); resID); } } continue; continue; } } Loading Loading @@ -3745,8 +3744,8 @@ ssize_t ResTable::getBagLocked(uint32_t resID, const bag_entry** outBag, } } if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) == 0) { if ((dtohs(entry->flags)&entry->FLAG_COMPLEX) == 0) { ALOGW("Skipping entry %p in package table %d because it is not complex!\n", ALOGW("Skipping entry 0x%x in package table %zu because it is not complex!\n", (void*)resID, (int)ip); resID, ip); continue; continue; } } Loading Loading @@ -5342,26 +5341,26 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, return (mError=err); return (mError=err); } } const size_t pkgSize = dtohl(pkg->header.size); const uint32_t pkgSize = dtohl(pkg->header.size); if (dtohl(pkg->typeStrings) >= pkgSize) { if (dtohl(pkg->typeStrings) >= pkgSize) { ALOGW("ResTable_package type strings at %p are past chunk size %p.", ALOGW("ResTable_package type strings at 0x%x are past chunk size 0x%x.", (void*)dtohl(pkg->typeStrings), (void*)pkgSize); dtohl(pkg->typeStrings), pkgSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if ((dtohl(pkg->typeStrings)&0x3) != 0) { if ((dtohl(pkg->typeStrings)&0x3) != 0) { ALOGW("ResTable_package type strings at %p is not on an integer boundary.", ALOGW("ResTable_package type strings at 0x%x is not on an integer boundary.", (void*)dtohl(pkg->typeStrings)); dtohl(pkg->typeStrings)); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (dtohl(pkg->keyStrings) >= pkgSize) { if (dtohl(pkg->keyStrings) >= pkgSize) { ALOGW("ResTable_package key strings at %p are past chunk size %p.", ALOGW("ResTable_package key strings at 0x%x are past chunk size 0x%x.", (void*)dtohl(pkg->keyStrings), (void*)pkgSize); dtohl(pkg->keyStrings), pkgSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if ((dtohl(pkg->keyStrings)&0x3) != 0) { if ((dtohl(pkg->keyStrings)&0x3) != 0) { ALOGW("ResTable_package key strings at %p is not on an integer boundary.", ALOGW("ResTable_package key strings at 0x%x is not on an integer boundary.", (void*)dtohl(pkg->keyStrings)); dtohl(pkg->keyStrings)); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } Loading Loading @@ -5499,7 +5498,7 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, return (mError=err); return (mError=err); } } const size_t typeSize = dtohl(type->header.size); const uint32_t typeSize = dtohl(type->header.size); LOAD_TABLE_NOISY(printf("Type off %p: type=0x%x, headerSize=0x%x, size=%p\n", LOAD_TABLE_NOISY(printf("Type off %p: type=0x%x, headerSize=0x%x, size=%p\n", (void*)(base-(const uint8_t*)chunk), (void*)(base-(const uint8_t*)chunk), Loading @@ -5508,16 +5507,16 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg, (void*)typeSize)); (void*)typeSize)); if (dtohs(type->header.headerSize)+(sizeof(uint32_t)*dtohl(type->entryCount)) if (dtohs(type->header.headerSize)+(sizeof(uint32_t)*dtohl(type->entryCount)) > typeSize) { > typeSize) { ALOGW("ResTable_type entry index to %p extends beyond chunk end %p.", ALOGW("ResTable_type entry index to %p extends beyond chunk end 0x%x.", (void*)(dtohs(type->header.headerSize) (void*)(dtohs(type->header.headerSize) +(sizeof(uint32_t)*dtohl(type->entryCount))), +(sizeof(uint32_t)*dtohl(type->entryCount))), (void*)typeSize); typeSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (dtohl(type->entryCount) != 0 if (dtohl(type->entryCount) != 0 && dtohl(type->entriesStart) > (typeSize-sizeof(ResTable_entry))) { && dtohl(type->entriesStart) > (typeSize-sizeof(ResTable_entry))) { ALOGW("ResTable_type entriesStart at %p extends beyond chunk end %p.", ALOGW("ResTable_type entriesStart at 0x%x extends beyond chunk end 0x%x.", (void*)dtohl(type->entriesStart), (void*)typeSize); dtohl(type->entriesStart), typeSize); return (mError=BAD_TYPE); return (mError=BAD_TYPE); } } if (type->id == 0) { if (type->id == 0) { Loading Loading @@ -5934,12 +5933,12 @@ void ResTable::print(bool inclValues) const size_t entryCount = dtohl(type->entryCount); size_t entryCount = dtohl(type->entryCount); uint32_t entriesStart = dtohl(type->entriesStart); uint32_t entriesStart = dtohl(type->entriesStart); if ((entriesStart&0x3) != 0) { if ((entriesStart&0x3) != 0) { printf(" NON-INTEGER ResTable_type entriesStart OFFSET: %p\n", (void*)entriesStart); printf(" NON-INTEGER ResTable_type entriesStart OFFSET: 0x%x\n", entriesStart); continue; continue; } } uint32_t typeSize = dtohl(type->header.size); uint32_t typeSize = dtohl(type->header.size); if ((typeSize&0x3) != 0) { if ((typeSize&0x3) != 0) { printf(" NON-INTEGER ResTable_type header.size: %p\n", (void*)typeSize); printf(" NON-INTEGER ResTable_type header.size: 0x%x\n", typeSize); continue; continue; } } for (size_t entryIndex=0; entryIndex<entryCount; entryIndex++) { for (size_t entryIndex=0; entryIndex<entryCount; entryIndex++) { Loading Loading @@ -5978,33 +5977,31 @@ void ResTable::print(bool inclValues) const printf(" INVALID RESOURCE 0x%08x: ", resID); printf(" INVALID RESOURCE 0x%08x: ", resID); } } if ((thisOffset&0x3) != 0) { if ((thisOffset&0x3) != 0) { printf("NON-INTEGER OFFSET: %p\n", (void*)thisOffset); printf("NON-INTEGER OFFSET: 0x%x\n", thisOffset); continue; continue; } } if ((thisOffset+sizeof(ResTable_entry)) > typeSize) { if ((thisOffset+sizeof(ResTable_entry)) > typeSize) { printf("OFFSET OUT OF BOUNDS: %p+%p (size is %p)\n", printf("OFFSET OUT OF BOUNDS: 0x%x+0x%x (size is 0x%x)\n", (void*)entriesStart, (void*)thisOffset, entriesStart, thisOffset, typeSize); (void*)typeSize); continue; continue; } } const ResTable_entry* ent = (const ResTable_entry*) const ResTable_entry* ent = (const ResTable_entry*) (((const uint8_t*)type) + entriesStart + thisOffset); (((const uint8_t*)type) + entriesStart + thisOffset); if (((entriesStart + thisOffset)&0x3) != 0) { if (((entriesStart + thisOffset)&0x3) != 0) { printf("NON-INTEGER ResTable_entry OFFSET: %p\n", printf("NON-INTEGER ResTable_entry OFFSET: 0x%x\n", (void*)(entriesStart + thisOffset)); (entriesStart + thisOffset)); continue; continue; } } uintptr_t esize = dtohs(ent->size); uintptr_t esize = dtohs(ent->size); if ((esize&0x3) != 0) { if ((esize&0x3) != 0) { printf("NON-INTEGER ResTable_entry SIZE: %p\n", (void*)esize); printf("NON-INTEGER ResTable_entry SIZE: 0x%x\n", esize); continue; continue; } } if ((thisOffset+esize) > typeSize) { if ((thisOffset+esize) > typeSize) { printf("ResTable_entry OUT OF BOUNDS: %p+%p+%p (size is %p)\n", printf("ResTable_entry OUT OF BOUNDS: 0x%x+0x%x+0x%x (size is 0x%x)\n", (void*)entriesStart, (void*)thisOffset, entriesStart, thisOffset, esize, typeSize); (void*)esize, (void*)typeSize); continue; continue; } } Loading
