AAPT: Fix use-after-free error
Re-order deletion of ResXMLTree and the Asset object
it iterates over.
Bug:30844391
Change-Id: Ied033d0a8f93343006228a2054c6d0f42bb4717a
diff --git a/tools/aapt/Resource.cpp b/tools/aapt/Resource.cpp
index a7878d1..5f91f17 100644
--- a/tools/aapt/Resource.cpp
+++ b/tools/aapt/Resource.cpp
@@ -1033,7 +1033,6 @@
return NO_ERROR;
}
- ResXMLTree tree;
Asset* asset = assets.openNonAsset(cookie, "AndroidManifest.xml", Asset::ACCESS_STREAMING);
if (asset == NULL) {
fprintf(stderr, "ERROR: Platform AndroidManifest.xml not found\n");
@@ -1041,11 +1040,17 @@
}
ssize_t result = NO_ERROR;
- if (tree.setTo(asset->getBuffer(true), asset->getLength()) != NO_ERROR) {
- fprintf(stderr, "ERROR: Platform AndroidManifest.xml is corrupt\n");
- result = UNKNOWN_ERROR;
- } else {
- result = extractPlatformBuildVersion(tree, bundle);
+
+ // Create a new scope so that ResXMLTree is destroyed before we delete the memory over
+ // which it iterates (asset).
+ {
+ ResXMLTree tree;
+ if (tree.setTo(asset->getBuffer(true), asset->getLength()) != NO_ERROR) {
+ fprintf(stderr, "ERROR: Platform AndroidManifest.xml is corrupt\n");
+ result = UNKNOWN_ERROR;
+ } else {
+ result = extractPlatformBuildVersion(tree, bundle);
+ }
}
delete asset;