Handle bad ninepatch data.

Changes proposed by Ben Hawkes of Google Project Zero.

NinePatchPeeker.cpp:
Instead of asserting, return false for bad data.

ResourceTypes.h:
Store ninepatch values as unsigned.

BUG:19151999
Change-Id: Ibe35e7569f632c6bb8a34a7701e26bb6ed547ec2
(cherry picked from commit a730ef3f77fc495bc90199b4d45efab26d609782)

2 files changed, 6 insertions, 4 deletions

diff --git a/core/jni/android/graphics/NinePatchPeeker.cpp b/core/jni/android/graphics/NinePatchPeeker.cpp
index df996afd0bf7..da4a80ca2a16 100644
--- a/core/jni/android/graphics/NinePatchPeeker.cpp
+++ b/core/jni/android/graphics/NinePatchPeeker.cpp
@@ -24,7 +24,9 @@ bool NinePatchPeeker::peek(const char tag[], const void* data, size_t length) {
     if (strcmp("npTc", tag) == 0 && length >= sizeof(Res_png_9patch)) {
         Res_png_9patch* patch = (Res_png_9patch*) data;
         size_t patchSize = patch->serializedSize();
-        assert(length == patchSize);
+        if (length != patchSize) {
+            return false;
+        }
         // You have to copy the data because it is owned by the png reader
         Res_png_9patch* patchNew = (Res_png_9patch*) malloc(patchSize);
         memcpy(patchNew, patch, patchSize);
diff --git a/include/androidfw/ResourceTypes.h b/include/androidfw/ResourceTypes.h
index 5b45d708726c..e1e05f177a00 100644
--- a/include/androidfw/ResourceTypes.h
+++ b/include/androidfw/ResourceTypes.h
@@ -107,9 +107,9 @@ struct Res_png_9patch
                        yDivs(NULL), colors(NULL) { }
 
     int8_t wasDeserialized;
-    int8_t numXDivs;
-    int8_t numYDivs;
-    int8_t numColors;
+    uint8_t numXDivs;
+    uint8_t numYDivs;
+    uint8_t numColors;
 
     // These tell where the next section of a patch starts.
     // For example, the first patch includes the pixels from