Merge "Fix DynamicRefTable::load security bug" into oc-mr1-dev

2018-06-06 22:16:36 +00:00
parent 4ae55000b2 18a6ada4aa
commit 2b6805fedc
1 changed files with 9 additions and 1 deletions
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -6576,8 +6576,16 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg,
            }

        } else if (ctype == RES_TABLE_LIBRARY_TYPE) {
+
            if (group->dynamicRefTable.entries().size() == 0) {
-                status_t err = group->dynamicRefTable.load((const ResTable_lib_header*) chunk);
+                const ResTable_lib_header* lib = (const ResTable_lib_header*) chunk;
+                status_t err = validate_chunk(&lib->header, sizeof(*lib),
+                                              endPos, "ResTable_lib_header");
+                if (err != NO_ERROR) {
+                    return (mError=err);
+                }
+
+                err = group->dynamicRefTable.load(lib);
                if (err != NO_ERROR) {
                    return (mError=err);
                }