Gitiles
Code Review Sign In
review.blissroms.org / platform_frameworks_base / 7ad1110ecd6a840fcd2895c62668828a1ca029c6 / . / libs / androidfw / LoadedArsc.cpp
blob: 94d0d4638ba8997fc66ed5bb208ad5ce1511dda1 [file] [log] [blame]
Adam Lesinski7ad11102016-10-28 16:39:15 -0700[diff] [blame^]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define ATRACE_TAG ATRACE_TAG_RESOURCES
18
19#include "androidfw/LoadedArsc.h"
20
21#include <cstddef>
22#include <limits>
23
24#include "android-base/logging.h"
25#include "android-base/stringprintf.h"
26#include "utils/ByteOrder.h"
27#include "utils/Trace.h"
28
29#ifdef _WIN32
30#ifdef ERROR
31#undef ERROR
32#endif
33#endif
34
35#include "Chunk.h"
36#include "androidfw/ByteBucketArray.h"
37#include "androidfw/Util.h"
38
39using android::base::StringPrintf;
40
41namespace android {
42
43namespace {
44
45// Element of a TypeSpec array. See TypeSpec.
46struct Type {
47 // The configuration for which this type defines entries.
48 // This is already converted to host endianness.
49 ResTable_config configuration;
50
51 // Pointer to the mmapped data where entry definitions are kept.
52 const ResTable_type* type;
53};
54
55// TypeSpec is going to be immediately proceeded by
56// an array of Type structs, all in the same block of memory.
57struct TypeSpec {
58 // Pointer to the mmapped data where flags are kept.
59 // Flags denote whether the resource entry is public
60 // and under which configurations it varies.
61 const ResTable_typeSpec* type_spec;
62
63 // The number of types that follow this struct.
64 // There is a type for each configuration
65 // that entries are defined for.
66 size_t type_count;
67
68 // Trick to easily access a variable number of Type structs
69 // proceeding this struct, and to ensure their alignment.
70 const Type types[0];
71};
72
73// TypeSpecPtr points to the block of memory that holds
74// a TypeSpec struct, followed by an array of Type structs.
75// TypeSpecPtr is a managed pointer that knows how to delete
76// itself.
77using TypeSpecPtr = util::unique_cptr<TypeSpec>;
78
79// Builder that helps accumulate Type structs and then create a single
80// contiguous block of memory to store both the TypeSpec struct and
81// the Type structs.
82class TypeSpecPtrBuilder {
83 public:
84 TypeSpecPtrBuilder(const ResTable_typeSpec* header) : header_(header) {}
85
86 void AddType(const ResTable_type* type) {
87 ResTable_config config;
88 config.copyFromDtoH(type->config);
89 types_.push_back(Type{config, type});
90 }
91
92 TypeSpecPtr Build() {
93 // Check for overflow.
94 if ((std::numeric_limits<size_t>::max() - sizeof(TypeSpec)) / sizeof(Type) < types_.size()) {
95 return {};
96 }
97 TypeSpec* type_spec = (TypeSpec*)::malloc(sizeof(TypeSpec) + (types_.size() * sizeof(Type)));
98 type_spec->type_spec = header_;
99 type_spec->type_count = types_.size();
100 memcpy(type_spec + 1, types_.data(), types_.size() * sizeof(Type));
101 return TypeSpecPtr(type_spec);
102 }
103
104 private:
105 DISALLOW_COPY_AND_ASSIGN(TypeSpecPtrBuilder);
106
107 const ResTable_typeSpec* header_;
108 std::vector<Type> types_;
109};
110
111} // namespace
112
113class LoadedPackage {
114 public:
115 LoadedPackage() = default;
116
117 bool FindEntry(uint8_t type_id, uint16_t entry_id, const ResTable_config& config,
118 LoadedArsc::Entry* out_entry, ResTable_config* out_selected_config,
119 uint32_t* out_flags) const;
120
121 ResStringPool type_string_pool_;
122 ResStringPool key_string_pool_;
123 std::string package_name_;
124 int package_id_ = -1;
125
126 ByteBucketArray<TypeSpecPtr> type_specs_;
127
128 private:
129 DISALLOW_COPY_AND_ASSIGN(LoadedPackage);
130};
131
132bool LoadedPackage::FindEntry(uint8_t type_id, uint16_t entry_id, const ResTable_config& config,
133 LoadedArsc::Entry* out_entry, ResTable_config* out_selected_config,
134 uint32_t* out_flags) const {
135 ATRACE_NAME("LoadedPackage::FindEntry");
136 const TypeSpecPtr& ptr = type_specs_[type_id];
137 if (ptr == nullptr) {
138 return false;
139 }
140
141 // Don't bother checking if the entry ID is larger than
142 // the number of entries.
143 if (entry_id >= dtohl(ptr->type_spec->entryCount)) {
144 return false;
145 }
146
147 const ResTable_config* best_config = nullptr;
148 const ResTable_type* best_type = nullptr;
149 uint32_t best_offset = 0;
150
151 for (uint32_t i = 0; i < ptr->type_count; i++) {
152 const Type* type = &ptr->types[i];
153
154 if (type->configuration.match(config) &&
155 (best_config == nullptr || type->configuration.isBetterThan(*best_config, &config))) {
156 // The configuration matches and is better than the previous selection.
157 // Find the entry value if it exists for this configuration.
158 size_t entry_count = dtohl(type->type->entryCount);
159 if (entry_id < entry_count) {
160 const uint32_t* entry_offsets = reinterpret_cast<const uint32_t*>(
161 reinterpret_cast<const uint8_t*>(type->type) + dtohs(type->type->header.headerSize));
162 const uint32_t offset = dtohl(entry_offsets[entry_id]);
163 if (offset != ResTable_type::NO_ENTRY) {
164 // There is an entry for this resource, record it.
165 best_config = &type->configuration;
166 best_type = type->type;
167 best_offset = offset + dtohl(type->type->entriesStart);
168 }
169 }
170 }
171 }
172
173 if (best_type == nullptr) {
174 return false;
175 }
176
177 const uint32_t* flags = reinterpret_cast<const uint32_t*>(ptr->type_spec + 1);
178 *out_flags = dtohl(flags[entry_id]);
179 *out_selected_config = *best_config;
180
181 const ResTable_entry* best_entry = reinterpret_cast<const ResTable_entry*>(
182 reinterpret_cast<const uint8_t*>(best_type) + best_offset);
183 out_entry->entry = best_entry;
184 out_entry->type_string_ref = StringPoolRef(&type_string_pool_, best_type->id - 1);
185 out_entry->entry_string_ref = StringPoolRef(&key_string_pool_, dtohl(best_entry->key.index));
186 return true;
187}
188
189// The destructor gets generated into arbitrary translation units
190// if left implicit, which causes the compiler to complain about
191// forward declarations and incomplete types.
192LoadedArsc::~LoadedArsc() {}
193
194bool LoadedArsc::FindEntry(uint32_t resid, const ResTable_config& config, Entry* out_entry,
195 ResTable_config* out_selected_config, uint32_t* out_flags) const {
196 ATRACE_NAME("LoadedArsc::FindEntry");
197 const uint8_t package_id = util::get_package_id(resid);
198 const uint8_t type_id = util::get_type_id(resid);
199 const uint16_t entry_id = util::get_entry_id(resid);
200
201 if (type_id == 0) {
202 LOG(ERROR) << "Invalid ID 0x" << std::hex << resid << std::dec << ".";
203 return false;
204 }
205
206 for (const auto& loaded_package : packages_) {
207 if (loaded_package->package_id_ == package_id) {
208 return loaded_package->FindEntry(type_id - 1, entry_id, config, out_entry,
209 out_selected_config, out_flags);
210 }
211 }
212 return false;
213}
214
215const std::string* LoadedArsc::GetPackageNameForId(uint32_t resid) const {
216 const uint8_t package_id = util::get_package_id(resid);
217 for (const auto& loaded_package : packages_) {
218 if (loaded_package->package_id_ == package_id) {
219 return &loaded_package->package_name_;
220 }
221 }
222 return nullptr;
223}
224
225static bool VerifyType(const Chunk& chunk) {
226 ATRACE_CALL();
227 const ResTable_type* header = chunk.header<ResTable_type>();
228
229 const size_t entry_count = dtohl(header->entryCount);
230 if (entry_count > std::numeric_limits<uint16_t>::max()) {
231 LOG(ERROR) << "Too many entries in RES_TABLE_TYPE_TYPE.";
232 return false;
233 }
234
235 // Make sure that there is enough room for the entry offsets.
236 const size_t offsets_offset = chunk.header_size();
237 const size_t entries_offset = dtohl(header->entriesStart);
238 const size_t offsets_length = sizeof(uint32_t) * entry_count;
239
240 if (offsets_offset + offsets_length > entries_offset) {
241 LOG(ERROR) << "Entry offsets overlap actual entry data.";
242 return false;
243 }
244
245 if (entries_offset > chunk.size()) {
246 LOG(ERROR) << "Entry offsets extend beyond chunk.";
247 return false;
248 }
249
250 if (entries_offset & 0x03) {
251 LOG(ERROR) << "Entries start at unaligned address.";
252 return false;
253 }
254
255 // Check each entry offset.
256 const uint32_t* offsets =
257 reinterpret_cast<const uint32_t*>(reinterpret_cast<const uint8_t*>(header) + offsets_offset);
258 for (size_t i = 0; i < entry_count; i++) {
259 uint32_t offset = dtohl(offsets[i]);
260 if (offset != ResTable_type::NO_ENTRY) {
261 // Check that the offset is aligned.
262 if (offset & 0x03) {
263 LOG(ERROR) << "Entry offset at index " << i << " is not 4-byte aligned.";
264 return false;
265 }
266
267 // Check that the offset doesn't overflow.
268 if (offset > std::numeric_limits<uint32_t>::max() - entries_offset) {
269 // Overflow in offset.
270 LOG(ERROR) << "Entry offset at index " << i << " is too large.";
271 return false;
272 }
273
274 offset += entries_offset;
275 if (offset > chunk.size() - sizeof(ResTable_entry)) {
276 LOG(ERROR) << "Entry offset at index " << i << " is too large. No room for ResTable_entry.";
277 return false;
278 }
279
280 const ResTable_entry* entry = reinterpret_cast<const ResTable_entry*>(
281 reinterpret_cast<const uint8_t*>(header) + offset);
282 const size_t entry_size = dtohs(entry->size);
283 if (entry_size < sizeof(*entry)) {
284 LOG(ERROR) << "ResTable_entry size " << entry_size << " is too small.";
285 return false;
286 }
287
288 // Check the declared entrySize.
289 if (entry_size > chunk.size() || offset > chunk.size() - entry_size) {
290 LOG(ERROR) << "ResTable_entry size " << entry_size << " is too large.";
291 return false;
292 }
293
294 // If this is a map entry, then keep validating.
295 if (entry_size >= sizeof(ResTable_map_entry)) {
296 const ResTable_map_entry* map = reinterpret_cast<const ResTable_map_entry*>(entry);
297 const size_t map_entry_count = dtohl(map->count);
298
299 size_t map_entries_start = offset + entry_size;
300 if (map_entries_start & 0x03) {
301 LOG(ERROR) << "Map entries start at unaligned offset.";
302 return false;
303 }
304
305 // Each entry is sizeof(ResTable_map) big.
306 if (map_entry_count > ((chunk.size() - map_entries_start) / sizeof(ResTable_map))) {
307 LOG(ERROR) << "Too many map entries in ResTable_map_entry.";
308 return false;
309 }
310
311 // Great, all the map entries fit!.
312 } else {
313 // There needs to be room for one Res_value struct.
314 if (offset + entry_size > chunk.size() - sizeof(Res_value)) {
315 LOG(ERROR) << "No room for Res_value after ResTable_entry.";
316 return false;
317 }
318
319 const Res_value* value = reinterpret_cast<const Res_value*>(
320 reinterpret_cast<const uint8_t*>(entry) + entry_size);
321 const size_t value_size = dtohs(value->size);
322 if (value_size < sizeof(Res_value)) {
323 LOG(ERROR) << "Res_value is too small.";
324 return false;
325 }
326
327 if (value_size > chunk.size() || offset + entry_size > chunk.size() - value_size) {
328 LOG(ERROR) << "Res_value size is too large.";
329 return false;
330 }
331 }
332 }
333 }
334 return true;
335}
336
337static bool LoadPackage(const Chunk& chunk, LoadedPackage* loaded_package) {
338 ATRACE_CALL();
339 const ResTable_package* header = chunk.header<ResTable_package>();
340 if (header == nullptr) {
341 LOG(ERROR) << "Chunk RES_TABLE_PACKAGE_TYPE is too small.";
342 return false;
343 }
344
345 loaded_package->package_id_ = dtohl(header->id);
346
347 // A TypeSpec builder. We use this to accumulate the set of Types
348 // available for a TypeSpec, and later build a single, contiguous block
349 // of memory that holds all the Types together with the TypeSpec.
350 std::unique_ptr<TypeSpecPtrBuilder> types_builder;
351
352 // Keep track of the last seen type index. Since type IDs are 1-based,
353 // this records their index, which is 0-based (type ID - 1).
354 uint8_t last_type_idx = 0;
355
356 ChunkIterator iter(chunk.data_ptr(), chunk.data_size());
357 while (iter.HasNext()) {
358 const Chunk child_chunk = iter.Next();
359 switch (child_chunk.type()) {
360 case RES_STRING_POOL_TYPE: {
361 const uintptr_t pool_address =
362 reinterpret_cast<uintptr_t>(child_chunk.header<ResChunk_header>());
363 const uintptr_t header_address = reinterpret_cast<uintptr_t>(header);
364 if (pool_address == header_address + dtohl(header->typeStrings)) {
365 // This string pool is the type string pool.
366 status_t err = loaded_package->type_string_pool_.setTo(
367 child_chunk.header<ResStringPool_header>(), child_chunk.size());
368 if (err != NO_ERROR) {
369 LOG(ERROR) << "Corrupt package type string pool.";
370 return false;
371 }
372 } else if (pool_address == header_address + dtohl(header->keyStrings)) {
373 // This string pool is the key string pool.
374 status_t err = loaded_package->key_string_pool_.setTo(
375 child_chunk.header<ResStringPool_header>(), child_chunk.size());
376 if (err != NO_ERROR) {
377 LOG(ERROR) << "Corrupt package key string pool.";
378 return false;
379 }
380 } else {
381 LOG(WARNING) << "Too many string pool chunks found in package.";
382 }
383 } break;
384
385 case RES_TABLE_TYPE_SPEC_TYPE: {
386 ATRACE_NAME("LoadTableTypeSpec");
387
388 // Starting a new TypeSpec, so finish the old one if there was one.
389 if (types_builder) {
390 TypeSpecPtr type_spec_ptr = types_builder->Build();
391 if (type_spec_ptr == nullptr) {
392 LOG(ERROR) << "Too many type configurations, overflow detected.";
393 return false;
394 }
395
396 loaded_package->type_specs_.editItemAt(last_type_idx) = std::move(type_spec_ptr);
397
398 types_builder = {};
399 last_type_idx = 0;
400 }
401
402 const ResTable_typeSpec* type_spec = child_chunk.header<ResTable_typeSpec>();
403 if (type_spec == nullptr) {
404 LOG(ERROR) << "Chunk RES_TABLE_TYPE_SPEC_TYPE is too small.";
405 return false;
406 }
407
408 if (type_spec->id == 0) {
409 LOG(ERROR) << "Chunk RES_TABLE_TYPE_SPEC_TYPE has invalid ID 0.";
410 return false;
411 }
412
413 // The data portion of this chunk contains entry_count 32bit entries,
414 // each one representing a set of flags.
415 // Here we only validate that the chunk is well formed.
416 const size_t entry_count = dtohl(type_spec->entryCount);
417
418 // There can only be 2^16 entries in a type, because that is the ID
419 // space for entries (EEEE) in the resource ID 0xPPTTEEEE.
420 if (entry_count > std::numeric_limits<uint16_t>::max()) {
421 LOG(ERROR) << "Too many entries in RES_TABLE_TYPE_SPEC_TYPE: " << entry_count << ".";
422 return false;
423 }
424
425 if (entry_count * sizeof(uint32_t) > chunk.data_size()) {
426 LOG(ERROR) << "Chunk too small to hold entries in RES_TABLE_TYPE_SPEC_TYPE.";
427 return false;
428 }
429
430 last_type_idx = type_spec->id - 1;
431 types_builder = util::make_unique<TypeSpecPtrBuilder>(type_spec);
432 } break;
433
434 case RES_TABLE_TYPE_TYPE: {
435 const ResTable_type* type = child_chunk.header<ResTable_type>();
436 if (type == nullptr) {
437 LOG(ERROR) << "Chunk RES_TABLE_TYPE_TYPE is too small.";
438 return false;
439 }
440
441 if (type->id == 0) {
442 LOG(ERROR) << "Chunk RES_TABLE_TYPE_TYPE has invalid ID 0.";
443 return false;
444 }
445
446 // Type chunks must be preceded by their TypeSpec chunks.
447 if (!types_builder || type->id - 1 != last_type_idx) {
448 LOG(ERROR) << "Found RES_TABLE_TYPE_TYPE chunk without "
449 "RES_TABLE_TYPE_SPEC_TYPE.";
450 return false;
451 }
452
453 if (!VerifyType(child_chunk)) {
454 return false;
455 }
456
457 types_builder->AddType(type);
458 } break;
459
460 default:
461 LOG(WARNING) << base::StringPrintf("Unknown chunk type '%02x'.", chunk.type());
462 break;
463 }
464 }
465
466 // Finish the last TypeSpec.
467 if (types_builder) {
468 TypeSpecPtr type_spec_ptr = types_builder->Build();
469 if (type_spec_ptr == nullptr) {
470 LOG(ERROR) << "Too many type configurations, overflow detected.";
471 return false;
472 }
473 loaded_package->type_specs_.editItemAt(last_type_idx) = std::move(type_spec_ptr);
474 }
475
476 if (iter.HadError()) {
477 LOG(ERROR) << iter.GetLastError();
478 return false;
479 }
480 return true;
481}
482
483bool LoadedArsc::LoadTable(const Chunk& chunk) {
484 ATRACE_CALL();
485 const ResTable_header* header = chunk.header<ResTable_header>();
486 if (header == nullptr) {
487 LOG(ERROR) << "Chunk RES_TABLE_TYPE is too small.";
488 return false;
489 }
490
491 const size_t package_count = dtohl(header->packageCount);
492 size_t packages_seen = 0;
493
494 packages_.reserve(package_count);
495
496 ChunkIterator iter(chunk.data_ptr(), chunk.data_size());
497 while (iter.HasNext()) {
498 const Chunk child_chunk = iter.Next();
499 switch (child_chunk.type()) {
500 case RES_STRING_POOL_TYPE:
501 // Only use the first string pool. Ignore others.
502 if (global_string_pool_.getError() == NO_INIT) {
503 status_t err = global_string_pool_.setTo(child_chunk.header<ResStringPool_header>(),
504 child_chunk.size());
505 if (err != NO_ERROR) {
506 LOG(ERROR) << "Corrupt string pool.";
507 return false;
508 }
509 } else {
510 LOG(WARNING) << "Multiple string pool chunks found in resource table.";
511 }
512 break;
513
514 case RES_TABLE_PACKAGE_TYPE: {
515 if (packages_seen + 1 > package_count) {
516 LOG(ERROR) << "More package chunks were found than the " << package_count
517 << " declared in the "
518 "header.";
519 return false;
520 }
521 packages_seen++;
522
523 std::unique_ptr<LoadedPackage> loaded_package = util::make_unique<LoadedPackage>();
524 if (!LoadPackage(child_chunk, loaded_package.get())) {
525 return false;
526 }
527 packages_.push_back(std::move(loaded_package));
528 } break;
529
530 default:
531 LOG(WARNING) << base::StringPrintf("Unknown chunk type '%02x'.", chunk.type());
532 break;
533 }
534 }
535
536 if (iter.HadError()) {
537 LOG(ERROR) << iter.GetLastError();
538 return false;
539 }
540 return true;
541}
542
543std::unique_ptr<LoadedArsc> LoadedArsc::Load(const void* data, size_t len) {
544 ATRACE_CALL();
545
546 // Not using make_unique because the constructor is private.
547 std::unique_ptr<LoadedArsc> loaded_arsc(new LoadedArsc());
548
549 ChunkIterator iter(data, len);
550 while (iter.HasNext()) {
551 const Chunk chunk = iter.Next();
552 switch (chunk.type()) {
553 case RES_TABLE_TYPE:
554 if (!loaded_arsc->LoadTable(chunk)) {
555 return {};
556 }
557 break;
558
559 default:
560 LOG(WARNING) << base::StringPrintf("Unknown chunk type '%02x'.", chunk.type());
561 break;
562 }
563 }
564
565 if (iter.HadError()) {
566 LOG(ERROR) << iter.GetLastError();
567 return {};
568 }
569 return loaded_arsc;
570}
571
572} // namespace android