Commit 86cfcaa6 authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)

[automerger] ResStringPool: Fix security vulnerability am: 7e54c3f2 am:...

[automerger] ResStringPool: Fix security vulnerability am: 7e54c3f2 am: 98e2d2ec am: 24a89da3 am: d85632ae am: 927b3357 am: 79d0fb25 am: a509e771 am: 80e36faa am: 76d71fa9

Change-Id: I971b589190cae708a08dd568290807dff0f75349
parents e5776af8 76d71fa9
......@@ -457,6 +457,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
uninit();
// The chunk must be at least the size of the string pool header.
if (size < sizeof(ResStringPool_header)) {
LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size);
return (mError=BAD_TYPE);
}
// The data is at least as big as a ResChunk_header, so we can safely validate the other
// header fields.
// `data + size` is safe because the source of `size` comes from the kernel/filesystem.
if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header),
reinterpret_cast<const uint8_t*>(data) + size,
"ResStringPool_header") != NO_ERROR) {
LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions");
return (mError=BAD_TYPE);
}
const bool notDeviceEndian = htods(0xf0) != 0xf0;
if (copyData || notDeviceEndian) {
......@@ -468,6 +484,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
data = mOwnedData;
}
// The size has been checked, so it is safe to read the data in the ResStringPool_header
// data structure.
mHeader = (const ResStringPool_header*)data;
if (notDeviceEndian) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment