Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
AAPT incorrectly writes a truncated string length when the string size
exceeded the maximum possible encode length value (0x7FFF). To decode a
truncated length, this change iterates through length values that end
in the encode length bits. Strings that exceed the maximum encode length
are not placed into StringPools in AAPT2.
Test: Successfully ran broken apps from the duplicates of the bugs
provided and created tests
Bug: 69320870
Change-Id: I99dd9b63e91ac250f81d5dfc26b7c0e6276ae162
(cherry picked from commit ea9e8b447a)
An app was crashing because in an attempt to retrieve layout
attribute/style data, the app infinitely recursed because its parent was
set to itself. This change checks if the resource bag parent and child
have the same ids, and if so, attempts to find the resource in this bag
alone rather than attempting to also look in parent bags.
Bug: 74493983
Test: Manual testing of Fitbit app
Change-Id: Iea37533a0676bd51b72c9bb235adec9bd04f2ccc
(cherry picked from commit ac04095ba9)
AAPT incorrectly writes a truncated string length when the string size
exceeded the maximum possible encode length value (0x7FFF). To decode a
truncated length, this change iterates through length values that end
in the encode length bits. Strings that exceed the maximum encode length
are not placed into StringPools in AAPT2.
Test: Successfully ran broken apps from the duplicates of the bugs
provided and created tests
Bug: 69320870
Change-Id: I99dd9b63e91ac250f81d5dfc26b7c0e6276ae162
An app was crashing because in an attempt to retrieve layout
attribute/style data, the app infinitely recursed because its parent was
set to itself. This change checks if the resource bag parent and child
have the same ids, and if so, attempts to find the resource in this bag
alone rather than attempting to also look in parent bags.
Bug: 74493983
Test: Manual testing of Fitbit app
Change-Id: Iea37533a0676bd51b72c9bb235adec9bd04f2ccc
If we don't specifiy an output for R.java, don't try to write
data to the class definition
Change-Id: I3ad471ec93dcb8baf13f221174065679cce311ad
Fixes: 72547268
Test: out/host/linux-x86/nativetest64/aapt2_tests/aapt2_tests
List was skipping directories. Include them, and add tests to ensure
the order and precedence is correct.
Bug: 72511641
Test: make libandroidfw_tests
Test: atest CtsContentTestCases:AssetManagerTest
Change-Id: Iadf45883283d3e4aae93bd7c3343745912e34fa0
AssetManager2 assumes that RES_TABLE_TYPE_SPEC_TYPEs must immediately
precede their associated RES_TABLE_TYPE_TYPEs. This is not correct.
RES_TABLE_TYPE_SPEC_TYPEs must precede their associated
RES_TABLE_TYPE_TYPEs, but they do not need to immediately precede them.
For example, this is what we currently expect:
RES_TABLE_TYPE_SPEC_TYPE id=1
RES_TABLE_TYPE_TYPE id=1
RES_TABLE_TYPE_SPEC_TYPE id=2
RES_TABLE_TYPE_TYPE id=2
but this is also valid:
RES_TABLE_TYPE_SPEC_TYPE id=1
RES_TABLE_TYPE_SPEC_TYPE id=2
RES_TABLE_TYPE_TYPE id=1
RES_TABLE_TYPE_TYPE id=2
Bug: 73052092
Test: make libandroidfw_tests
Change-Id: I1f3c43760f8108eee24c2c6ed7bc16f70e951c2b
AssetManager2 relied on creating a list of configurations
present in the resource table so as to avoid copying and
converting ResTable_config's from the APK on every
resource retrieval.
ResTable, however, had a better optimization that pruned
the configurations that didn't match the currently set
configuration. This vastly reduced the number of ResTable_configs
to test.
In this CL, AssetManager2 follows suite with this optimization
and only maintains the filtered ResTable_configs, falling back
to the slow path when the configuration is overridden.
Test: mma frameworks/base/libs/androidfw
Test: adb sync system data
Test: adb shell /data/benchmarktest64/libandroidfw_benchmarks/libandroidfw_benchmarks
Change-Id: Ib57b75fbb32e1d310eec146e5a12dfc6de4385f9
When an app is loaded as a shared library (eg. monochrome),
make sure to set the bit that it loaded as such, so that
conversions from package ID 7f -> shared library ID are done.
Bug: 72511998
Test: make libandroidfw_tests
Test: out/host/<host_os>/nativetest64/libandroidfw_tests/libandroidfw_tests
Change-Id: Icd11b7a5adff351165ca16d5853fb5a0002c34b1
This CL will support the followings.
- installing a RRO package for framework from /product/overlay
- installing apps from /product/app
- installing priv-apps from /product/priv-app
- installing permissions from
/product/etc/[default-permissions|permissions|sysconfig]
Bug: 64195575
Test: `mm` under frameworks/base/tests/[libs|privapp]-permissions
adb sync && adb reboot
adb shell cmd package list libraries
=> confirmed com.android.test.libs.product library
adb shell cmd package dump \
com.android.framework.permission.privapp.tests.product
=> confirmed that the package is a priv-app
And I moved vendor/overlay/framework-res__auto_generated_rro.apk into
system/product/overlay/ on sailfish, and I confirmed that the RRO was
installed properly.
Change-Id: I16175933cebd9ec665d190cc5d564b5414a91827
AssetManager2 relied on creating a list of configurations
present in the resource table so as to avoid copying and
converting ResTable_config's from the APK on every
resource retrieval.
ResTable, however, had a better optimization that pruned
the configurations that didn't match the currently set
configuration. This vastly reduced the number of ResTable_configs
to test.
In this CL, AssetManager2 follows suite with this optimization
and only maintains the filtered ResTable_configs, falling back
to the slow path when the configuration is overridden.
Test: mma frameworks/base/libs/androidfw
Test: adb sync system data
Test: adb shell /data/benchmarktest64/libandroidfw_benchmarks/libandroidfw_benchmarks
Change-Id: I5d46f8b005a37b72750d00bd75f090e7b5a36f60
Take into account numbering system when selecting a matching
resource configuration. Add numbering system specifier into the
generated BCP 47 language tag.
Test: build and run libandroidfw_tests
Bug: 71873777
Change-Id: I3afda181f36de4b29a7be270b6f7593c2261fd71
All other stringAt methods check for null termination. Be consistent
so that upper levels don't end up with huge corrupt strings.
Bug: 62537081
Test: none
Change-Id: I17bdfb0c1e34507b66c6cad651bbdb12c5d4c417
(cherry picked from commit 3d35a0ea30)
(cherry picked from commit 97f8cb01149b35b1832c7f9efe85ff19edf1083e)
The unsigned integer overflow sanitizer catches an overflow on
Res_GETPACKAGE usages. This is used in a number of places in
ResourceTypes.cpp in a number of large functions. For now, lets disable
the sanitizer in this source file.
Test: Compiles and device boots without runtime errors.
Bug: 30969751
Change-Id: Id9e0776ef819c895a3194a32da5c85459f1af431
Merged-In: Id9e0776ef819c895a3194a32da5c85459f1af431
(cherry picked from commit 02828740da)
