diff options
| author | Ryan Mitchell <rtmitchell@google.com> | 2019-08-23 11:45:04 -0700 |
|---|---|---|
| committer | Ryan Mitchell <rtmitchell@google.com> | 2019-08-23 13:11:14 -0700 |
| commit | 8da1c38b69e947885fcec50cda46c5472ddb6746 (patch) | |
| tree | 0bde6149b1b989b27aaf97a83703b5775ba83c9a /libs/androidfw | |
| parent | 3dc631cfc9b08b385f2f11b072b314cce0f8bdb3 (diff) | |
Fix security issue in DynamicRefTable::load.
A crafted resources arsc could cause libandroidfw to read data out of
bounds of the resources arsc. This change updates the logic to calculate
whether the ref table chunk is large enough to hold the number of
entries specified in the header.
Bug: 129475100
Test: adb shell push ResTableTest data
Test: adb shell push poc.arsc data
Test: ./ResTableTest poc.arsc
Change-Id: Ifbaad87bdbcb7eecf554ef362e0118f53532a22a
Diffstat (limited to 'libs/androidfw')
| -rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 2ad2e76cc696..8a035dbbc0f5 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -6902,9 +6902,8 @@ std::unique_ptr<DynamicRefTable> DynamicRefTable::clone() const { status_t DynamicRefTable::load(const ResTable_lib_header* const header) { const uint32_t entryCount = dtohl(header->count); - const uint32_t sizeOfEntries = sizeof(ResTable_lib_entry) * entryCount; const uint32_t expectedSize = dtohl(header->header.size) - dtohl(header->header.headerSize); - if (sizeOfEntries > expectedSize) { + if (entryCount > (expectedSize / sizeof(ResTable_lib_entry))) { ALOGE("ResTable_lib_header size %u is too small to fit %u entries (x %u).", expectedSize, entryCount, (uint32_t)sizeof(ResTable_lib_entry)); return UNKNOWN_ERROR; |