diff options
| author | 2015-03-12 21:17:48 +0000 | |
|---|---|---|
| committer | 2015-03-12 21:17:50 +0000 | |
| commit | 1808d437e687fbc7b054611bf51932ec0e8b32f0 (patch) | |
| tree | 0e68c8083d3b29ab7e4bdf5a3621106159f26268 | |
| parent | d6ee06a0c86d9d1556bb4b15c9aaea538e415e38 (diff) | |
| parent | 6521a1b7430e7b3298633236645e2c0b5fd56c00 (diff) | |
Merge "Enforce null-termination in ResStringPool::stringAt"
| -rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 6f93c820bf92..d5d583c7ae14 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -701,6 +701,12 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const *u16len = decodeLength(&str); if ((uint32_t)(str+*u16len-strings) < mStringPoolSize) { + // Reject malformed (non null-terminated) strings + if (str[*u16len] != 0x0000) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } return reinterpret_cast<const char16_t*>(str); } else { ALOGW("Bad string block: string #%d extends to %d, past end at %d\n", @@ -748,6 +754,13 @@ const char16_t* ResStringPool::stringAt(size_t idx, size_t* u16len) const return NULL; } + // Reject malformed (non null-terminated) strings + if (u8str[u8len] != 0x00) { + ALOGW("Bad string block: string #%d is not null-terminated", + (int)idx); + return NULL; + } + char16_t *u16str = (char16_t *)calloc(*u16len+1, sizeof(char16_t)); if (!u16str) { ALOGW("No memory when trying to allocate decode cache for string #%d\n", |