Make sure we don't go past the end in CheckIntraDebugInfoItem Bug: 285434622 Fixes: 285434622 Test: SANITIZE_HOST='address' m \ test-art-host-gtest-art_libdexfile_tests64 Change-Id: Ie427d2b14e2414fa326fb818317e94c7789f4417

commit: 9f5fd34fe52e7bdc7fe2d919c34d366bf5393654 [log] [tgz]
author: Santiago Aboy Solanes <solanes@google.com> Mon Jun 05 16:25:52 2023 +0100
committer: Santiago Aboy Solanes <solanes@google.com> Wed Jun 07 08:36:59 2023 +0000
tree: 5d386d59ef1e2165628e7679d1d9058f7b585812
parent: 0cc89b6f8fb2fc9f4ce22c7968eeef214f07bc2d [diff]
diff --git a/libdexfile/dex/dex_file_loader_test.cc b/libdexfile/dex/dex_file_loader_test.cc
index 0ae59d3..7275032 100644
--- a/libdexfile/dex/dex_file_loader_test.cc
+++ b/libdexfile/dex/dex_file_loader_test.cc

@@ -257,6 +257,24 @@
     "BgAAAAEAAADYAAAABwAAAAIAAAD4AAAAAPAAAAAAAQAEAQAAAiAAAAoAAAAqAQAA"
     "AyAAAC0AAACHAQAAACAAAAEAAACSAQAAABAAAAEAAACgAQAA";
 
+static const char kRawBadDebugInfoItem[] =
+    "ZGV4CjAzOAAaShJb6q0xSzOzJXwUA/IZmxR8x10yt8X0AgAAcAAAAHhWNBIwQB8z"
+    "AAAAAFQCAAAQAAAIcAAAAAcAAACwAAAAAwAAAMwAAAABAAAA8AAAAPz/9wD4AAAA"
+    "AQAAOhgBAAC8AQA5AQAAAH4BAACAgAAAAAAAAAAAAAAEAAABAAn///kACAAAAAAA"
+    "BgAAAAgACgIAABcCAAClAAIAIwIAACgCAAAxAgDeAgAAAEAAAAAEAAAABQBQAAYA"
+    "AAAIAAAAAAAAAAAAAAcAAAEACf8Y+QAIAAAAAAAGAAAACAAAAAwAAICAgIAAAAIA"
+    "IwL5ACgCAAAwAgACAQAAAAMAAAAEAAAABQBQAAYAAAAIAAAAAAAAAAADAAEACf//"
+    "+QAIAAAAAAAGAAAACAAKAgAAFwMAAKUAAAMAAAAEAAAABQAAAAYAAAAEAAAAAgAA"
+    "AAAAgIAACQAFEAAAAIAABACAgIAAAAAsCH4AAAAAAAYAAAAIAAAADAAAAAUAAAAC"
+    "AAAAAICABICAgAAAAICAAAUAAAAGAAAACAAAAwAAAAAABAAAAAIAAAAM+f8ABQAA"
+    "AAIAAACAgIAAAAQAgACAAIAALAB+AACAAAAGAAAACAAAAAwAAAAFAACAAgAAAACA"
+    "gIAAAAAAAIAAAAAAAAAAAAAAAAQAAAACAAAAAACAAATmgICAAAAAABMAAAAAAACA"
+    "AAAAAAgAAAAMAAAABQAAAAIAAAAAgIAEgICAAAAAgIAABQAAAAYAAAAIAAADAAAA"
+    "AAAEAAAAAgAAAAwAAAAFAAAAAgANAAAAAAAjAAEAAAAAAAAABwAAABAAAABwAAAA"
+    "AgAAAAcAAACwAAAAAyAAAEEAAADMAAAABAAAAAEnAADwAAAABQAAAAQAA/j4AAAA"
+    "BgAAAFv///8bAQAAAQAAAAAAAG81AQAAARAAAAIAAABwAQAAAiAAABAAAAB+AQAA"
+    "AwAAKQIAAAA3AgAAACAAAAEAAABDAgAAABAAAAEAAABUAgAA";
+
 static void DecodeDexFile(const char* base64, std::vector<uint8_t>* dex_bytes) {
   // decode base64
   CHECK(base64 != nullptr);
@@ -553,4 +571,8 @@
   OpenAndVerify(kHiddenAPIClassDataBadOffset, /*expected_success=*/false);
 }
 
+TEST_F(DexFileLoaderTest, BadDebugInfoItem) {
+  OpenAndVerify(kRawBadDebugInfoItem, /*expected_success=*/false);
+}
+
 }  // namespace art

diff --git a/libdexfile/dex/dex_file_verifier.cc b/libdexfile/dex/dex_file_verifier.cc
index fac703f..cc1f88c 100644
--- a/libdexfile/dex/dex_file_verifier.cc
+++ b/libdexfile/dex/dex_file_verifier.cc

@@ -1738,6 +1738,10 @@
   }
 
   while (true) {
+    if (UNLIKELY(ptr_ >= begin_ + size_)) {
+      // Went past the end.
+      return false;
+    }
     uint8_t opcode = *(ptr_++);
     switch (opcode) {
       case DexFile::DBG_END_SEQUENCE: {
commit	9f5fd34fe52e7bdc7fe2d919c34d366bf5393654	[log] [tgz]
author	Santiago Aboy Solanes <solanes@google.com>	Mon Jun 05 16:25:52 2023 +0100
committer	Santiago Aboy Solanes <solanes@google.com>	Wed Jun 07 08:36:59 2023 +0000
tree	5d386d59ef1e2165628e7679d1d9058f7b585812
parent	0cc89b6f8fb2fc9f4ce22c7968eeef214f07bc2d [diff]