[automerger] ResStringPool: Fix security vulnerability am: 7e54c3f261

Change-Id: I57e2ea2122d22341c43b9b445291cc4b02ec2b11
2018-04-13 20:34:20 +00:00
parent d672eef559 7e54c3f261
commit 98e2d2ec50
1 changed files with 18 additions and 0 deletions
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -455,6 +455,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)

    uninit();

+    // The chunk must be at least the size of the string pool header.
+    if (size < sizeof(ResStringPool_header)) {
+        LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size);
+        return (mError=BAD_TYPE);
+    }
+
+    // The data is at least as big as a ResChunk_header, so we can safely validate the other
+    // header fields.
+    // `data + size` is safe because the source of `size` comes from the kernel/filesystem.
+    if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header),
+                       reinterpret_cast<const uint8_t*>(data) + size,
+                       "ResStringPool_header") != NO_ERROR) {
+        LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions");
+        return (mError=BAD_TYPE);
+    }
+
    const bool notDeviceEndian = htods(0xf0) != 0xf0;

    if (copyData || notDeviceEndian) {
@@ -466,6 +482,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
        data = mOwnedData;
    }

+    // The size has been checked, so it is safe to read the data in the ResStringPool_header
+    // data structure.
    mHeader = (const ResStringPool_header*)data;

    if (notDeviceEndian) {