diff options
Diffstat (limited to 'tools/aapt/XMLNode.cpp')
| -rw-r--r-- | tools/aapt/XMLNode.cpp | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/tools/aapt/XMLNode.cpp b/tools/aapt/XMLNode.cpp index 1860147dc2ee..dc08eb806356 100644 --- a/tools/aapt/XMLNode.cpp +++ b/tools/aapt/XMLNode.cpp @@ -441,7 +441,7 @@ void printXMLBlock(ResXMLTree* block) block->restart(); Vector<namespace_entry> namespaces; - + ResXMLTree::event_code_t code; int depth = 0; while ((code=block->next()) != ResXMLTree::END_DOCUMENT && code != ResXMLTree::BAD_DOCUMENT) { @@ -495,7 +495,12 @@ void printXMLBlock(ResXMLTree* block) printf("\n"); } } else if (code == ResXMLTree::END_TAG) { - depth--; + // Invalid tag nesting can be misused to break the parsing + // code below. Break if detected. + if (--depth < 0) { + printf("***BAD DEPTH in XMLBlock: %d\n", depth); + break; + } } else if (code == ResXMLTree::START_NAMESPACE) { namespace_entry ns; size_t len; @@ -511,7 +516,10 @@ void printXMLBlock(ResXMLTree* block) ns.uri.string()); depth++; } else if (code == ResXMLTree::END_NAMESPACE) { - depth--; + if (--depth < 0) { + printf("***BAD DEPTH in XMLBlock: %d\n", depth); + break; + } const namespace_entry& ns = namespaces.top(); size_t len; const char16_t* prefix16 = block->getNamespacePrefix(&len); @@ -689,7 +697,7 @@ const String8& XMLNode::getFilename() const { return mFilename; } - + const Vector<XMLNode::attribute_entry>& XMLNode::getAttributes() const { @@ -705,7 +713,7 @@ const XMLNode::attribute_entry* XMLNode::getAttribute(const String16& ns, return &ae; } } - + return NULL; } @@ -749,14 +757,14 @@ sp<XMLNode> XMLNode::searchElement(const String16& tagNamespace, const String16& && mElementName == tagName) { return this; } - + for (size_t i=0; i<mChildren.size(); i++) { sp<XMLNode> found = mChildren.itemAt(i)->searchElement(tagNamespace, tagName); if (found != NULL) { return found; } } - + return NULL; } @@ -770,7 +778,7 @@ sp<XMLNode> XMLNode::getChildElement(const String16& tagNamespace, const String1 return child; } } - + return NULL; } @@ -952,7 +960,7 @@ status_t XMLNode::parseValues(const sp<AaptAssets>& assets, ResourceTable* table) { bool hasErrors = false; - + if (getType() == TYPE_ELEMENT) { const size_t N = mAttributes.size(); String16 defPackage(assets->getPackage()); @@ -988,7 +996,7 @@ status_t XMLNode::assignResourceIds(const sp<AaptAssets>& assets, const ResourceTable* table) { bool hasErrors = false; - + if (getType() == TYPE_ELEMENT) { String16 attr("attr"); const char* errorMsg; @@ -1068,7 +1076,7 @@ status_t XMLNode::flatten(const sp<AaptFile>& dest, { StringPool strings(mUTF8); Vector<uint32_t> resids; - + // First collect just the strings for attribute names that have a // resource ID assigned to them. This ensures that the resource ID // array is compact, and makes it easier to deal with attribute names @@ -1116,7 +1124,7 @@ status_t XMLNode::flatten(const sp<AaptFile>& dest, dest->getSize(), (stringPool->getSize()*100)/dest->getSize(), dest->getPath().string()); } - + return NO_ERROR; } @@ -1192,7 +1200,7 @@ XMLNode::startNamespace(void *userData, const char *prefix, const char *uri) printf("Start Namespace: %s %s\n", prefix, uri); } ParseState* st = (ParseState*)userData; - sp<XMLNode> node = XMLNode::newNamespace(st->filename, + sp<XMLNode> node = XMLNode::newNamespace(st->filename, String16(prefix != NULL ? prefix : ""), String16(uri)); node->setStartLineNumber(XML_GetCurrentLineNumber(st->parser)); if (st->stack.size() > 0) { @@ -1313,7 +1321,7 @@ status_t XMLNode::collect_strings(StringPool* dest, Vector<uint32_t>* outResIds, bool stripComments, bool stripRawValues) const { collect_attr_strings(dest, outResIds, true); - + int i; if (RESOURCES_TOOLS_NAMESPACE != mNamespaceUri) { if (mNamespacePrefix.size() > 0) { |