Do not include image header in decompressed size
Could cause a buffer overflow since we told LZ4 to decompress more
bytes than necessary.
Bug: 27561308
(cherry picked from commit 324eb2c6b049f1677133f0b708730e904c5e73ab)
Change-Id: I524c03b8f0e8a84814dbd8678285184e9d4da9f1
diff --git a/runtime/gc/space/image_space.cc b/runtime/gc/space/image_space.cc
index 9ecd391..b4b1f39 100644
--- a/runtime/gc/space/image_space.cc
+++ b/runtime/gc/space/image_space.cc
@@ -1283,7 +1283,7 @@
/*out*/out_error_msg));
if (map != nullptr) {
const size_t stored_size = image_header->GetDataSize();
- const size_t write_offset = sizeof(ImageHeader); // Skip the header.
+ const size_t decompress_offset = sizeof(ImageHeader); // Skip the header.
std::unique_ptr<MemMap> temp_map(MemMap::MapFile(sizeof(ImageHeader) + stored_size,
PROT_READ,
MAP_PRIVATE,
@@ -1302,14 +1302,15 @@
TimingLogger::ScopedTiming timing2("LZ4 decompress image", &logger);
const size_t decompressed_size = LZ4_decompress_safe(
reinterpret_cast<char*>(temp_map->Begin()) + sizeof(ImageHeader),
- reinterpret_cast<char*>(map->Begin()) + write_offset,
+ reinterpret_cast<char*>(map->Begin()) + decompress_offset,
stored_size,
- map->Size());
+ map->Size() - decompress_offset);
VLOG(image) << "Decompressing image took " << PrettyDuration(NanoTime() - start);
if (decompressed_size + sizeof(ImageHeader) != image_header->GetImageSize()) {
- *error_msg = StringPrintf("Decompressed size does not match expected image size %zu vs %zu",
- decompressed_size + sizeof(ImageHeader),
- image_header->GetImageSize());
+ *error_msg = StringPrintf(
+ "Decompressed size does not match expected image size %zu vs %zu",
+ decompressed_size + sizeof(ImageHeader),
+ image_header->GetImageSize());
return nullptr;
}
}