See CL I7a6a30bf8e8db9f2738594d187bb9148f138b8da for a more detailed
description of the change.
Test: see CL I7a6a30bf8e8db9f2738594d187bb9148f138b8da description
Bug: 80741439
Change-Id: I6cc9d713c07c319fc2ee1c531af41243bd1d4aee
Bug: 77808145
Test: Tried to install corrupt APK prior to the change, install failed
Test: Tried to install corrupt APK after the change, install succeeded
Test: atest CtsAppSecurityHostTestCases:CorruptApkTests
Change-Id: I19a69e52a17c1080beaf2cc575c32f564b1033a3
DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.
Bug: 79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
Changes the logs adding in a previous security fix to warnings so
devices with malformed APKs currently on them will not undergo DOS when
they are upgraded to P.
Bug: 79724567
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: Ied54e4bb14abdaf79da562022c7ea6075187c1f8
XmlBlocks are cached in ResourcesImpl::loadXmlResourceParser(...) and
when asset manager invalidates itself, the references to the dynamic
reference tables point to garbage. Now, the reference table is cloned
when the XmlBlock is created so invalidation will not affect the
XmlTree.
Bug: 74240254
Test: Tested GoogleMaps on 9.75.7 and saw crashes stop
Change-Id: I932db7a85fddc640c4d6ec327f534b5a1ad6d0b1
See build/soong/README.md for more information.
Test: m libframeworks_coretests_jni
Test: m FrameworkCoreTests_install
Test: m libshim_jni
Test: m CtsShimPrivUpgrade
Test: m libfilterfw
Test: m PMTest_Java_dual
Test: m libdefcontainer_jni
Test: m libperftestscore_jni
Test: m libpmtest32 libpmtest64
Test: m libprintspooler_jni
Test: m libsmartcamera_jni
Test: m idmap
Test: m libdrmframework_jni
Test: m libdvr_loader com.google.vr.platform com.google.vr.platform.xml
Test: m libfilterpack_imageproc libfilterpack_base
Test: m libwebviewchromium_loader
Test: m shared_mem_test
Test: m test-touchlag
Change-Id: I868561dd237fa28647896d59049ab9260373ada1
AAPT would not print resource values for splits passed in with the -I
flag. This fix prints out each split separately with the correct type
specs and values.
Bug: 79195967
Test: aapt dump --values -I base-hdpi.apk resources base-master.apk
Change-Id: I223186136e98180fec4a3d96f92f53407db59e2d
These files are moving. Update the paths so that the old files can be
deleted.
Bug: 77525052
Test: ./build for one of these scripts
Change-Id: Iacca1f1930d6a2614866f6503a2b4c1eba4d4018
Pre-O, the platform treats negative resource IDs [those with
a package ID of 0x80 or higher] as invalid. In order to work
around this limitation, we allow the use of traditionally
reserved resource IDs [those between 0x02 and 0x7E].
Bug: 78041707
Test: ./out/host/linux-x86/nativetest64/aapt2_tests/aapt2_tests
Test: ./out/host/linux-x86/nativetest/libandroidfw_tests/libandroidfw_tests
Test: Manual. Create a feature split with a package ID of 0x7E and see it runs and can reference base resources.
Change-Id: I3d9782cc05d3a55e1a2467bf39566788847e1160
AAPT would allow for ids to be declared in the form:
<item name="name" type="id>@id/other</item>
@id/name should hold a reference to @id/other. When
getResources().getValue() is called on R.id.name with resolveRefs
enabled, the resuling reference should be R.id.other.
Bug: 69445910
Test: Created tests for correct parsing of id references and correct
resolving of deep references
Change-Id: Id1feb37b2565c213dc6a19b4c401906260d7fc14
Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Style resources with circular parental dependencies caused infinite
recursion when calling AssetManager2::GetBag. This fix allows recursion
to cease when a circular dependency is found.
Bug: 77928512
Change-Id: Ib900c36ab1aef5da5b03234a9484c4dad3b63c02
Test: Manual test of b/77928512 and duplicates of 74493983
Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
AAPT incorrectly writes a truncated string length when the string size
exceeded the maximum possible encode length value (0x7FFF). To decode a
truncated length, this change iterates through length values that end
in the encode length bits. Strings that exceed the maximum encode length
are not placed into StringPools in AAPT2.
Test: Successfully ran broken apps from the duplicates of the bugs
provided and created tests
Bug: 69320870
Change-Id: I99dd9b63e91ac250f81d5dfc26b7c0e6276ae162
(cherry picked from commit ea9e8b447a)
An app was crashing because in an attempt to retrieve layout
attribute/style data, the app infinitely recursed because its parent was
set to itself. This change checks if the resource bag parent and child
have the same ids, and if so, attempts to find the resource in this bag
alone rather than attempting to also look in parent bags.
Bug: 74493983
Test: Manual testing of Fitbit app
Change-Id: Iea37533a0676bd51b72c9bb235adec9bd04f2ccc
(cherry picked from commit ac04095ba9)
AAPT incorrectly writes a truncated string length when the string size
exceeded the maximum possible encode length value (0x7FFF). To decode a
truncated length, this change iterates through length values that end
in the encode length bits. Strings that exceed the maximum encode length
are not placed into StringPools in AAPT2.
Test: Successfully ran broken apps from the duplicates of the bugs
provided and created tests
Bug: 69320870
Change-Id: I99dd9b63e91ac250f81d5dfc26b7c0e6276ae162
An app was crashing because in an attempt to retrieve layout
attribute/style data, the app infinitely recursed because its parent was
set to itself. This change checks if the resource bag parent and child
have the same ids, and if so, attempts to find the resource in this bag
alone rather than attempting to also look in parent bags.
Bug: 74493983
Test: Manual testing of Fitbit app
Change-Id: Iea37533a0676bd51b72c9bb235adec9bd04f2ccc
If we don't specifiy an output for R.java, don't try to write
data to the class definition
Change-Id: I3ad471ec93dcb8baf13f221174065679cce311ad
Fixes: 72547268
Test: out/host/linux-x86/nativetest64/aapt2_tests/aapt2_tests
