diff options
author | Adam Lesinski <adamlesinski@google.com> | 2017-11-09 17:12:17 -0800 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-02-26 23:52:06 +0000 |
commit | 9f4c9c136871c285c579da3b89e66ac6b40c332a (patch) | |
tree | e04fdea8d92651b101c6d9535ee4b09fed3a023c | |
parent | e6e4ebf47ebf695541f3318b292045abf3df86ef (diff) | |
download | base-9f4c9c136871c285c579da3b89e66ac6b40c332a.tar.gz |
Check for null-terminator in ResStringPool::string8At
All other stringAt methods check for null termination. Be consistent
so that upper levels don't end up with huge corrupt strings.
Bug: 62537081
Test: none
Change-Id: I17bdfb0c1e34507b66c6cad651bbdb12c5d4c417
(cherry picked from commit 3d35a0ea307693a97583a61973e729a5e7db2687)
(cherry picked from commit 97f8cb01149b35b1832c7f9efe85ff19edf1083e)
(cherry picked from commit 5ec65ae909a85d13d03c030be357c8c14a50d306)
-rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 0782269d7de1..733ffb180b3b 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -813,7 +813,13 @@ const char* ResStringPool::string8At(size_t idx, size_t* outLen) const *outLen = encLen; if ((uint32_t)(str+encLen-strings) < mStringPoolSize) { - return (const char*)str; + // Reject malformed (non null-terminated) strings + if (str[encLen] != 0x00) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } + return (const char*)str; } else { ALOGW("Bad string block: string #%d extends to %d, past end at %d\n", (int)idx, (int)(str+encLen-strings), (int)mStringPoolSize); |