From 8da1c38b69e947885fcec50cda46c5472ddb6746 Mon Sep 17 00:00:00 2001 From: Ryan Mitchell Date: Fri, 23 Aug 2019 11:45:04 -0700 Subject: Fix security issue in DynamicRefTable::load. A crafted resources arsc could cause libandroidfw to read data out of bounds of the resources arsc. This change updates the logic to calculate whether the ref table chunk is large enough to hold the number of entries specified in the header. Bug: 129475100 Test: adb shell push ResTableTest data Test: adb shell push poc.arsc data Test: ./ResTableTest poc.arsc Change-Id: Ifbaad87bdbcb7eecf554ef362e0118f53532a22a --- libs/androidfw/ResourceTypes.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 2ad2e76cc696..8a035dbbc0f5 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -6902,9 +6902,8 @@ std::unique_ptr DynamicRefTable::clone() const { status_t DynamicRefTable::load(const ResTable_lib_header* const header) { const uint32_t entryCount = dtohl(header->count); - const uint32_t sizeOfEntries = sizeof(ResTable_lib_entry) * entryCount; const uint32_t expectedSize = dtohl(header->header.size) - dtohl(header->header.headerSize); - if (sizeOfEntries > expectedSize) { + if (entryCount > (expectedSize / sizeof(ResTable_lib_entry))) { ALOGE("ResTable_lib_header size %u is too small to fit %u entries (x %u).", expectedSize, entryCount, (uint32_t)sizeof(ResTable_lib_entry)); return UNKNOWN_ERROR; -- cgit v1.2.3-59-g8ed1b