Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c91e0eda authored by Kenny Root's avatar Kenny Root
Browse files

Add invariant check for stylesString size 

It was possible for stylesStrings to claim to start past the end of the
data area thereby making mStringPoolSize larger than the data area.

Change-Id: Ibc4d5b429e3a388516135801c8abc3681daae291
parent 67c4219a

libs/utils/ResourceTypes.cpp

+6 −0
Original line number Diff line number Diff line
@@ -317,6 +317,12 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) 
            mStringPoolSize =

                (mHeader->header.size-mHeader->stringsStart)/charSize;

        } else {

            // check invariant: styles starts before end of data

            if (mHeader->stylesStart >= (mHeader->header.size-sizeof(uint16_t))) {

                LOGW("Bad style block: style block starts at %d past data size of %d\n",

                    (int)mHeader->stylesStart, (int)mHeader->header.size);

                return (mError=BAD_TYPE);

            }

            // check invariant: styles follow the strings

            if (mHeader->stylesStart <= mHeader->stringsStart) {

                LOGW("Bad style block: style block starts at %d, before strings at %d\n",