Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core_old / ad4f2e59af9fe207056099dc002eb80cacbc0f4f^! / .
commitad4f2e59af9fe207056099dc002eb80cacbc0f4f[log] [tgz]
authorKenny Root <kroot@google.com>Tue Jun 08 12:34:43 2010 -0700
committerAlex Ray <aray@google.com>Tue Jul 30 13:56:53 2013 -0700
tree598f6348ef56d0ee23b3f5af432fbf9a1e4017f1
parent65d3c95a4d9a5fb4f61de952af0abd0db5380c77 [diff]
Add invariant check for stylesString size

It was possible for stylesStrings to claim to start past the end of the
data area thereby making mStringPoolSize larger than the data area.

Change-Id: Ibc4d5b429e3a388516135801c8abc3681daae291

diff --git a/libs/utils/ResourceTypes.cpp b/libs/utils/ResourceTypes.cpp
index 954255b..4362d14 100644
--- a/libs/utils/ResourceTypes.cpp
+++ b/libs/utils/ResourceTypes.cpp

@@ -317,6 +317,12 @@
             mStringPoolSize =
                 (mHeader->header.size-mHeader->stringsStart)/charSize;
         } else {
+            // check invariant: styles starts before end of data
+            if (mHeader->stylesStart >= (mHeader->header.size-sizeof(uint16_t))) {
+                LOGW("Bad style block: style block starts at %d past data size of %d\n",
+                    (int)mHeader->stylesStart, (int)mHeader->header.size);
+                return (mError=BAD_TYPE);
+            }
             // check invariant: styles follow the strings
             if (mHeader->stylesStart <= mHeader->stringsStart) {
                 LOGW("Bad style block: style block starts at %d, before strings at %d\n",