diff options
| author | Adam Lesinski <adamlesinski@google.com> | 2017-11-09 17:12:17 -0800 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-04-06 22:31:45 +0200 |
| commit | 3c294c183faa2d292f9a59f81f27f9b3a7e75d4b (patch) | |
| tree | 560384d1c127e593598bd03304659d930b5e27f5 | |
| parent | d3762927d245ed5053d9d3febdfa7d62fef9ef79 (diff) | |
| download | frameworks_base-3c294c183faa2d292f9a59f81f27f9b3a7e75d4b.tar.gz frameworks_base-3c294c183faa2d292f9a59f81f27f9b3a7e75d4b.tar.bz2 frameworks_base-3c294c183faa2d292f9a59f81f27f9b3a7e75d4b.zip | |
Check for null-terminator in ResStringPool::string8At
All other stringAt methods check for null termination. Be consistent
so that upper levels don't end up with huge corrupt strings.
Bug: 62537081
Test: none
Change-Id: I17bdfb0c1e34507b66c6cad651bbdb12c5d4c417
(cherry picked from commit 3d35a0ea307693a97583a61973e729a5e7db2687)
(cherry picked from commit 97f8cb01149b35b1832c7f9efe85ff19edf1083e)
(cherry picked from commit 5ec65ae909a85d13d03c030be357c8c14a50d306)
| -rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 6b498cd60e6..5b04eb9f05c 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -814,7 +814,13 @@ const char* ResStringPool::string8At(size_t idx, size_t* outLen) const *outLen = decodeLength(&str); size_t encLen = decodeLength(&str); if ((uint32_t)(str+encLen-strings) < mStringPoolSize) { - return (const char*)str; + // Reject malformed (non null-terminated) strings + if (str[encLen] != 0x00) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } + return (const char*)str; } else { ALOGW("Bad string block: string #%d extends to %d, past end at %d\n", (int)idx, (int)(str+encLen-strings), (int)mStringPoolSize); |