Merge "Fix security issue in DynamicRefTable::load." into qt-qpr1-dev am: 084cc32ce8

Change-Id: Ie35cf55cff2162394abae816d1cfb0eefdc0aab6
author: TreeHugger Robot <treehugger-gerrit@google.com> 2020-03-23 19:38:50 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2020-03-23 19:38:50 +0000
commit: be6970b281b25f3deeca756fccead27b5c395f97 (patch)
tree: a0e6c09bd663f1d14bb25fd3c9dbc843c0f53103 /libs/androidfw
parent: b2a3cb02e5be613e63c562157058e320d83b1445 (diff)
parent: 084cc32ce890a39eeb760ef637709b0319d6b4cb (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp
index 66df59b4c83b..535386920265 100644
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -6902,9 +6902,8 @@ std::unique_ptr<DynamicRefTable> DynamicRefTable::clone() const {
 status_t DynamicRefTable::load(const ResTable_lib_header* const header)
 {
     const uint32_t entryCount = dtohl(header->count);
-    const uint32_t sizeOfEntries = sizeof(ResTable_lib_entry) * entryCount;
     const uint32_t expectedSize = dtohl(header->header.size) - dtohl(header->header.headerSize);
-    if (sizeOfEntries > expectedSize) {
+    if (entryCount > (expectedSize / sizeof(ResTable_lib_entry))) {
         ALOGE("ResTable_lib_header size %u is too small to fit %u entries (x %u).",
                 expectedSize, entryCount, (uint32_t)sizeof(ResTable_lib_entry));
         return UNKNOWN_ERROR;
author	TreeHugger Robot <treehugger-gerrit@google.com>	2020-03-23 19:38:50 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2020-03-23 19:38:50 +0000
commit	be6970b281b25f3deeca756fccead27b5c395f97 (patch)
tree	a0e6c09bd663f1d14bb25fd3c9dbc843c0f53103 /libs/androidfw
parent	b2a3cb02e5be613e63c562157058e320d83b1445 (diff)
parent	084cc32ce890a39eeb760ef637709b0319d6b4cb (diff)